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(57) A system for the validations and verification of base stations and mobile stations within a cellular radio 
communications network.: JTjie system includes a fixed; key and, a ^changeable key which are applied as 
inputs to an f authentication algorithm. The algorithm generates key-dependent:. responses, at least one 
" of which is independent of the ; changeable key. The responses; generated. by a particular mobije station 
are compared to the responses generated by the network and the presence of fraudulent users may be 
detected. ... , ; r 
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CROSS REFERENCE TO RELATED APPLICATION * * : ' ^ ' 

This application contains subject matter related to co-pending U.S. Patent Application Serial No. 

entitled "Rolling Key Resynchronization in Cellular Verification and Validation System"; and to co- 
5 pending U.S. Patent Application Serial No. 07/55%, 890, Vntitled "Authentication System For Digital cellular com- 
munications", filed on July 23, 1990. The latter application incorporates by reference co-pending U.S. Patent 
Application Serial No. 07/556,358, entitled "Encryption System For Digital Cellular Communications"; co-pend- 
ing U.S.;Patent Applieatibn^Serial No. 07/556,102, entitled "Continuous Cipher Synchronization for Cellular 
Communication System"; 3nd co-pending U.S. Patent Application Serial No. 07/566,103, entitled "Resynchroni- 
10 zation of Encryption Systems Upon Handoff"; each of which were filed on July 20, 1990. All of the foregoing 
applications, including the subject matter contained therein, are incorporated herein by reference. 

BACKGROUND OF THE INVENTION 

15 Field of the Inversion 

The present invention relates to wireless communications systems, and more particularly, to a method and 
apparatus for'the validation and verification of b;ase stations and mobile stations within a cellular radio. com- 
munications system. , * 

20 ' j ' . 

History of the Prior Art ' „ v ' 

Wireless Communications Systems 

25 Information or data signals are carried by or transmitted through two basic categories of physical channels 

or media: bounded and unbounded. In a bounded medium, e.g. , wire pairs, coaxial cables, waveguides, optical 
fibers, etc., the signals are generally confined to and, except for small leakage amounts, do not depart from, 
the medium. The most common type of bounded medium consists'of twisted wife pairs which are grouped to- 
gether in cables. In an unbounded medium, e.g., air atmosphere, ocean water, etc., electromagnetic signals 

30 or radio waves radiate freely in and spread throughout the medium. The present invention, as described 
hereinafter, is more particularly concerned with wireless or cordless radio communications in unbounded 
• media. 

Various radio frequency schemes have been devisedjo facilitate the transmission of data carrying mes- 
sages in unbounded media, several communications standards for radio tran"smissibri~have also been adopted 

35 or endorsed by international bodies. Examples of such standards include the Digital European Cordless Tele- 
communications (DECT), CT2 and CT3 standards. While the teachings of the present invention have broad 
applicability to radio communications systems in general, the primary focus of the discussion herein shall be 
cellular radio systems which are but one example of wireless communications. It will be;appreeiated, however, 
that the present invention is not limited to cellular radio systems and may be implemented in non-cellular radio 

40 systems as well. 

Cellular Radio Systems 

Cellular radio communications is, perhaps, the fastest growing field in the world-wide telecommunications 
45 industry. Although cellular radio communication systems comprise only a small fraction of the telecommuni- 
cations systems presently in operation, it is widely believed that this'fraction will steadily increase and will rep- 
resent a major portion of the entire telecommunications market in the not' too' distant future. This belief is 
grounded in the inherent limitations of conventional telephone communications networks which rely primarily 
on wire technology to connect-subscribers within the network. A standard household or office telephone, for 
so example, is connected to a wall outlet, or phone jack, by a telephone cord of a certain maximum length. Similarly; 
wires connect the telephone outlet with a local switching office of the telephone company. A telephone user's 
movement is thus restricted not only by the length of the telephone cord, but also by the availability of an opera- 
tive telephone outlet, i.e. an outlet which has been connected with the local switching office. Indeed, the genesis 
of cellular radio systems can be attributed, in large part, to the desire to overcome these restrictions and to 
55 afford the telephone user the freedom to move about or to travel away from his home or office without sacrificirkj 
his ability to communicate effectively with others. . t 

In a typical cellular radio system, a metropolitan area is divided into several cells, each of which is served 
by a base station having a cell controller, a low-powered transmitter and an associated receiver. The user, or 
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the user's vehicle, carries a relatively-small, wireless device which communicates with the base^station and 
connects the userto a mobile switching center or exchange, The exchange facilitates communi catiohs between 
the user, other mobile stations in the system andtandline partiesln the public switched telephone network 
("PSTN"). The interconnection of mobile telephone users ("mobile subscribers") with the PSTN requires that 

5 each mobile subscriber in the system be made available to anyone who has a telephone, whether fixed or 
mobile. Hence, the problem of locating a mobilevsu^criber moving from one area to another ? (a "roaming sub- 
scriber" or "roamer") within a wide geographic area has become of primary importance. A known solution to 
this problem is based on the concept of mobile* registration. * ;; , l ' t: \ J. 

Mobile registration is the process by 1 "which a mobile^telephone unit becomes listed as being present in the 

10 service area of one of the mobile exchanges in'a mobile 'tel^prrorl^ service network. As each mobile telephone 
unit enters a new area within the network, it transmits a unique identity signal which jsjdetected by the mobile 
exchange associated with that area. This exchange records an indication of the presence of the mobile sub- 
scriber in its memory and then informs all the other exchanges of the presence of the.mpbiie subscriber within 
its coverage area at that particular moment. VVh^n the mobile subscriber crosses over into another area, the 

15 exchange associated with that area, upon receiyingNan identity signal* from the telepnone unit, will record an 
indication of the mobile subscriber's presence there and then transmljt-the identity, -signal- to ail of the other 
exchanges together with its own identity signal, for^the purpose'of updating the^mobile subscriber's position. 

In other known solutions, a mobile subscriber's identity and position messages are sent.by each exchange, 
whose respective areas are crossed by such mobile subscriber, to a specific center. Any exchange in the mobile 

20 network which contacts this center may receive all the information necessary for locating and making a con- 
nection to the mobile subscriber. This solution eliminates the" need' to advise one or more^bf the other mobile 
exchanges each time a mobile subscriber enters a new area without making or receiving a call there and thereby 
reduces the amount of mobile subscriber location data that must be processed by each of the mobile exchanges 
within the network. 

25 In some systems, the aforementioned-center may^be a common, national center such^as that used in the 

mobile telephone location system disclosed in U.S. Patent 4, 700, 374 issued to Bini. In other systems, the 
center may be the exchange to which a mobile subscriber is assigned (the "home exchange"). In such other 
systems, the mobile subscriber may preregister in an area other than the normal service and billing area (the 
"home area") for service to be provided in the other area (the "visited area") by the exchange associated with 

30 the visited area .(the "visited exchange"). When a roaming subscriber arrives in the visited area, the mobile sub- 
scriber is qualified to make telephone calls from there and calls which are received in the mobile subscriber's 
home area are forwarded to-the visited area for transmission to the mobile subscriber. 

Qualification of a mobile subscriber in a visited area may be automatically performed when the roaming 
subscriber appears in the visited area and the mobile station is switched on, e.g., when the user initiates a first 

35 telephone call. The roaming mobile station automatically transmits its identification number to the visited 
exchange and requests roamer service. If the roaming subscriber is a visitor from a cooperating exchange, the 
V visited exchange provides service to the roaming subscriber by allocating a temporary roamer number to it. 
The visited exchange also notifies the roaming subscriber's home exchange of the roaming subscriber's loca- 
tion in the coverage area of the visited exchange. The roaming subscriber's identification number is then en- 

40 tered into a list of roamers in the home exchange so that incoming calls to the roaming subscriber are forwarded 
to the visited exchange where the roaming subscriber is then located. 

Cellular Privacy 



45 One significant disadvantage of existing cellular radio communication systems is the ease with which 

analog radio transmissions may be intercepted. In particular, some or all of the communications between the 
mobile station and the base station may be monitored, without authorizatibrVsimply by tuning an appropriate 
electronic receiver to the frequency or frequencies of the communications. Herice, anyone with access to such 
a receiver and an interest in eavesdropping can violate the privacy of the communications virtually at will and 

so with total impunity. While there have been efforts to make electronic eavesdropping illega^ the clandestine nat- 
ure of such activities generally means that" "most, if not all, instances" of eave : sdro,pping wttt-go undetected and, 
therefore, unpunished and undeterred. The possibility that a competitor or a foe may decide to "tune in" to one's 
seemingly private telephone conversations has heretofore hindered yhe 'prpliferaiiori of celf(il^r radio oommuni- 
cation systems and, left unchecked, will continue to threaten the viability of such systerns'for businesses and 

55 government applications. " ( r 1 <; 

It has recently -become clear that the cellular radio telecommunications systems of fhSe Wure will be im- 
plemented using digital rather than analog technology. The switch to digital is dictated, primarily, by consider- 
ations relating to system speed and capacity. A single analog, or voice, radio frequency (RF) channel can 
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rccdmmodate three (3) to six:<6) digital, or data, RF channels. iFhus- by, digitizing speech prb/<to transmission 
■ ; over the voice shahneK'the channel capacity and; consequently the-overall system. capacity, may be increased 
dramatically without increasing the bandwidth of the voice channel. A&ekcoroliary, the^ystem is able to handle 
a substantially greater number of mobile stations at a 'significantly lower; costf, : , 
5 * -'"Although the switch from analog to digital cellular i*adio. systems ameliorates somewhat th^ likelihood of 
breeches in the security of communications* between a base station >dnd a.mobileistation, the risk of electronic 
^eavesdropping is far from eliminated.^ digital receiverimay, be constructed which is capable of decoding the 
digital signals and generating the original speech. The hardware may be morercomplicated and the undertaking 

- more expensive than in ttie c^se of analog ^transmission,; but the' possibility persists that highly-personal or sen- 
10 sitive conversations in : a digital cellular radio system may be monitored by a third party and. potentially used to 

the detriment of the system users. Moreover, the very possibility of third parties eavesdropping on a telephone 
■ n conversation eliminates cellular telecommunications as a. medium for certain government communications. 
: Certain business usersmay be 'equally sensitive to even the- possibility of a security breech. Thus, to render 
cellular systems as viable alternatives-tb the conventional wireline networks, security of communications must 
15 . be : available on at least some circuits, ,J ' > .* : i- ";;c ■ . 

^ 1 - Various' isbiutions have been'proposed to alleviate the security poheerns engendered by radio transmission 
r - of- confidential data. 5 A known solution, implemented by some existing communication systems, uses cryptoal- 
gorithms to encrypt (scramble) digital data into an unintelligible form prior to transmission. A general discussion 
- -of cryptographic systems may be. found in trie article entitled. 'IGloak and Data" by Rick Grehan in BYTE 
20 Magazine, dated June 199Q r at pages : 31 1-324. In most systems currently available, speech js^digitized and 

• processed' through an encryption device to produce a communications signal that appears to be random or 
-' : pseudo-random >in nature until it is decrypted -"at 'an authorized, receiver. The particular algorithm used by-the 
Ji encryption device may be a proprietary algorithm or ah algorithm found in the rpubiic domain. Further back- 
• ground for such techniques may be found in the article entitled 'The Mathematics of Pub!ic-Key, Cryptography" 

25 by-Martin EtHellman in Scientific American , dated August 1979 at 146.-167. c. 

- >! 0ne ; technique for the encryption of data relies. on- time-of-day" or "frame number" driven keystream 
••' generators to produce keystreams of pseudc-randorh bits which are combined with the data to be encrypted. 
Such keystream generators may be synchronized to a time of day counter, i.e. hour, minute and second, or to 

- : a simple number -counter and^trie encryption and decryption devices may be synchronized by transmitting the 
30 V ?i -current 'count of the transmittercounter to the receiver in the event one fa!ls:out of synchronization with another. 

r. ii j 0 increase the security of communications in systems utilizing time-of-day orframe number driven keys- 
; 5 i-tr§am'jgenef^tbrs;'the' f Vairue ; of-each bit in the pseudo-random keystream is preferably made a function of the 
" values of all the key bits in an encryption key. In this manner, a person desiring todescramble the encrypted 

signal must- 5, crack- or "break M -all-of che-bits of the encryption-key which may be-in,the order-offifty-(50)^tq-one- 

35 hundred (100) bits or more. A keystream "of this type is^generally produced by mathematically expanding the 
encryption key word in accordance wiih a selected algorithm which incorporates the count of the time-of-day 
v - counter. However; if everybit of the encryption key is to influence levery bit in the keystream and if the keystream 
is to be added to-the data stream bits on a one-to-one basis, the required number of key word expansion com- 

* putatichs per second is eriormous and can readily exceed the real time computational capability of the system. 
40 ■ The copending application entitled "Encryption System for Digital Cellular Communications", referred to above, 

' ! achieved such-expansiori^of the ; keystream with conventional microprocessors and at conventional microp- 
^ Processor speeds'." • y : '■ ■ V! : r '-- f r - - - 

The use of an encryption key to generate a pseudo-random keystream which is a complex function of all 
the key'bits is a very useful tool for securing digital communications. Other tools *may include arrangements 
45 r - r - for ensuring that the secret key assigned to each mobile station (the permanent key) is never directly used out- 
f ' side'of the home^netwbrk, i.e., the normal service and billing area of the mobile station: Instead, the permanent 
; - key is used to generate other bits (the security key) which are used for encipherings particular call and which 
rftay be transmitted from the home network to a visited network, i.e. /an area other than the normal billing area 
• : Hnto'\vhich uW mobile station has roamed. Such arrangements reduce the risk of unauthorized disclosure of 
5cr : ' :; ' the Secret key to a third party which may use the secret key to defeat t!<e encryption process. 

Cellular Fraud 

Another significant disadvantage of existing cellular radio communication systems has been the wides- 
55 ; * pre'atf fraudulent use of mobile identification numbers ("MINs") to steal cellular service. The past, present and 
future state of cellular fraud and the resultant revenue and service losses are discussed in the articfe entitled 
-"Cellular Fraud'" by Henry* M; Kowalczyk in Cellular Business / dated March 1991, at- 32-35. As stated therein, 
'' the Earliest form of cellular fraud-was roarher fraud in which the MIN of-a paying (valid) .mobile subscriber was 

4 



0506637 A 2 I 




BP 0-506*637 A2" 

* used by a norisubscriber to qualify for service with a serving switch and to. place fraudulent calls frprr),fhe,area 
served by the switch. Such fraudulent use was often notdetected unless and until the, billing ; informati on was 
received and questioned, by the. paying subscriber. . , < '-; . u. . :* :1V 

In response to this early and comparatively simple form of roamer fraii*$i, a variety. of verification , and vali- 
5 - dation systems were developeds-Bnd installed. iWhale these systems were somewhat successful in reducing 
roamer fraud levels to a more acceptable^evel, they did.not.eJimin.ate.it' Furthermore,;, recent : advances in 
technology have produced a new.andrnore sophisticated: form .of; fraud known as "ESN tumbling" which takes 
advantage of certain post-ftrstscalt limitations of these systems, by. changing itfie eiectrpnic. serial number 
("ESN") of a- caller rather than the. callerfs M IN after plactng.pne or more successful roamer paj Is with the first 
10 ESN. Efforts to combat ESN tumbling throughrpost-first^call validation have, in turn, ted to-a new fraud technol- 
ogy ; in which both the Ml N and the ESN are 'tumbled; ; v = - >. - ■ ;- v 

r Although short-term,: piecemeal solutions to the problem of cellular fraud have- been developed and im- 
- plemented, including defaulting alfroamersto 0+ diating and even cancellation of roamer service in-some cases, 
r they have not kept pace with the increasing^ complexity, of fraud systems^New and i elusive,fr^ud types,, such 
15 as cloning, whereby a fraudulent user adopts the directory telephone number of a valid subscriben,require.lqng- 
term solutions which will prevent existing fraud methods ^andiOutpace.emerging fraud technologies. £ne such 
long-term solutions based on the authentication, of mobile stations at registration, call initiationprcall reception, 
" 'or during call conversation. -vj . ^v^ir^n r--.- '.k \..v ■ < ;. c ^ ■ i -/rhot. 

.-I'.Ol'j Authentication may be simply viewed as the (process ef confirming t thei4entjty of a mobile station in-the 
20 network. Both authentication and encryption-require commujpicatior?; between the visited network and therhome 
networks where the mobile station has a permanent registration; !**, order f to . obtain. mpbile-spe.cific-infprm^tion 
such as the security key used for encryption whicrds preferably calculated in the home network. The.cpipending 
U.S. Patent Application entitled "Authentication, Systerrr Eor ; Digital , Cellular Communications", referred to 
\ above, discloses an authentication system in which the functions of authentication and encryption c^n be jinked 
25 so that a single inter-network transaction ^establishes bothrfunctiorjSrAs desprifced ir> .detail, t^ereinv ; the forego- 
i< ing authentication system achieves such integration by^generating, in-the same transaction, ; npt only a\key-de- 
:~ pendent response (RESP) to -a random challenge (RAN D) + but ajso a security he.^(S-key) which may be xjsed 
to encipher user traffic. .( • ' » r . . • . « ^ ;;;„•' y : ;. v.: . ^ :i . v . 

As mentioned earlier, a serious problerrtin existing .eel Mar systems is the fraudulent use of^cel I ular service 
30 by invalid or "false" mobile stations. Heretofore* for example, it has been possible to, copy the entii^.memory 
contents of a mobile station and to manufacture clones which may demand and jreqeive service from the net- 
work.* One proposed solution is to provide each authorized mobile station with a specific authentication module, 
or smartcard, which has read-only or read-and-writeiaccess tfor.the permanent key. Th is ^solu£ion, .however, 
■■ renders the mobile station more complex and more expensive^ The authentication systerrv describee 1 in the co- 
35 pendingU.S. Patent Application entitled "Authentication Systern Fpr.Digjtal Cellular Gommunicatiarts", includes 
a "rolling key" (B-key) which* affects response (RESP) ;and provides a more co,st^effe t cttve safeguard against 
the threat of false mobile station. In addition, to meet they threat of a -fajse- base, station" irv r t he network, the 
foregoing authentication system includes ~a bilateral authentication procedure which rnayj.be used when the rol- 
ling key is updated. This two-way authentication -procedure enhances securjtyjanc^per™ 
40 cation to be performed, for example, on the dedicated traffic channels ofrthe- system at anytime during a call. * 
Each authentication step may ^generally performed at the option of the network operator- but is preferably 
performed at least once after the active presence of a mobile station is first detected within a network so -as to 
v generate an S-4<ey for the first call where encryption^ enabled. ^ - 

The rolling key or B-key used to counteract false mobile stations in the network may occasionally fall out 
45 * of synchronization. If the response. (RESP) depends on the B-key, and the network ar\d a valitj mobile station 
. are using different B-keys. the RESP generated by. the mobile station and transmitted to -the network will not 
> match the RESP internally generated by the network: The valid mobile station will then appear tp.the network 
» as a fraudulent mobile station. The present invention allows the network to distinguish betweep a valid mobile 
* station using an unsynchronized B-key and a fraudulent mobile station. In addition, the present invention, also 
so allows the network to distinguish-between the classical non-clone, e.g., ESN tumbling, fraudulentwsers and 
the more advanced clone fraudulent users. 

SUMMARY OF THE INVENTION 

55 In one aspect, the system of the present invention includes-.a procedure and hardware for providing .ad apt- 

able authentication of a mobile station within a radio network. ; ■ < \ , ; - r - r 

In? another aspects the present invention includes a method for the verification and validation, .of -a mobile 
: station in a radio network in accordance with an authentication algorithm execu.ted'in each of the mobile station 
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and the network. A random:Ghallehge'Signahis transmitted from the nefwork to the mobilestaticm A set of inputs 

including the random challenge.signalitrahsmitted fromi the network-to themobilastation, afixed kny value and # — 

a changeable key value are appliedt6!the authentication algorithms A 3et of outputs including-a first response 

- -signal, which is dependent on the fixec! key value and, independent ;of the changeable key value, and a second 
5 - response signal, which is dependent on. -the-. Changeable. key .valuey; are -generated from the authentication 

algorithm; The first jand r second response signals are trarlsmitted "ovthe network and compared with the first ~ 
and second response signals generated- in the networks : '■ *-< • ;• - ■ j : 

■ In still another aspect, the system' of the^present invention includes the ; generation of parameters for use 
in enhancing the security of communications- in a communications network wherein a mobile.station is assigned 
10 a unique multi-digit permanent key, whereirr a-changable multi-digit rolling key is employed for increased sec- i ; 
> ;i urity, and wherein both the rjermanent key andtherolling key are stored in the mobile station and in the network. 
" A plurality of multi-digit input signals received ata< location include a signal representative of an authentication - 

hquiryfrom the network along with the"rnulti-digit permanent key of a particular mobile station and the multi-digit 
-* ^rolling key associated with the particular mobile station at that particular time. At least some ofthe digits of the 
15 " input signals are arranged in a first' grouping and a first output value is calculated in accordance with a first 
-algorithm from the first grouping of input signals and the permanent key digits. Sequentially arranged blocks 
n. ■ of at least some ofthe digits comprising the first output value are assigned to selected parameters for use within 
; the system including a 'first authentication response to be, used by the mobile station to- reply to the authenti- 

- cation inquiry by the network. At least someof the digits of. the. input signals are arranged in a second grouping 
20 and a second output value is calculated in accordance with a second algorithm from the second grouping of 

^input-signals and the .permanent and roiling key digits. Sequentially arranged blocks of at least some of the 
'i ■ 'digits^comprising the second output: value are assigned to selected parameters for use within the system in- - ~ 

? eluding a, second authentication response to be used byihe mobile station to reply to the authentication inquiry ~~ 

- by the network. The first and second authentication responsesmay be combined into a single authentication 
25 1 response signal. <- . ; .. , 

BRIEF DESCRIPTION OF THE DRAWINGS 

The present invention will be better understood and its numerous objects and advantages will become ap- 

30 parent to those skilled in the art by reference to the following drawings in which: 

FIG. 1 is a pictorial-representation of a cellular radio communications system including a mobile switching * 
center, a plurality of base stations and a plurality of mobile stations; " r 

FIG; 2 is a 'schematic block diagram of mobile station equipment used in accordance with one embodiment 
- - - — - of thesystem i©f the present invention;- . 4..^ - 

35 FIG. 3 is a^scherhatic:block diagram of base station equipment used in accordance with one embodiment 

of the system of the present invention; ■ - - : i 

FIG. 4 is a pictorial representation of an authentication system which may be used for both unilateral and 
bilateral authentication; . , ; . 

FIG: 5 is a pictorial representation of an authentication system constructed, in accordance with the present 
40 < invention; 7 > : <■ \c \ - r ■. 

FIG. 6 is a-schematic block diagram of the mixing process used in an exemplary authentication algorithm 
for the present invention; and <•., 
■ FIG. 7 is a schematic block diagram .of a; building block or mixing cell of the mixing process shown in FIG. 
6. v -v ' • ■ > . , . 

45 . - 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT 

Digital Cellular System 

50 ? ... Referring firs* to F!G. 1, there is illustrated therein a conventional cellular radio communications system of 
*- r a type to;whioh the present invention generally pertains. In FIG. 1, an arbitrary geographic area may. be seen 
' divided into a plurality of contiguous radio coverage areas, or cells, C1 -C 1 0. While the system of;FIG. 1 is shown 
i^Of-.to' include only lOcellsi it should be dearly understood that, in practice, the number of cells may be much larger, 
•i » Associated with and located within each of the cells C1-C1 0 is a base station designated as a corresponding 
55 ' one of a pluraJityof base stations B1-B.10, Each ofthe base stations B1-B10 include a transmitter, a receiver 
: and controllers is well known in the 'art. In FIG. 1 , the base.stations B-1-B1 0 are located at the center of the 
- cells C1-G10, respectively, and are equipped with omni-directional antennas,* However, in other configurations 
of the cellular radio system; tire base stations B1-B10 may be located near the periphery, or otherwise away 
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' from the r centers of the cells'Ci-C40 and:mayMlluminat& the .ceils C1-G1.0 with radio signals either ornni-direc- 
-( tionally ftf/directionaHy. Therefore,- the 1 representation of . the cellular radio-systemiof: FIG. 11 is for purposes of 
c - illustration only and is not intended 1 as a J imitation on the possible implementations.of the cellular, radio, system. 
With continuing reference 7 to FIG. 1, a plurality of, mobile stations M1-M10»may.;bejound within the cells 

5 C1-C10. Again, only ten mobile stations are shown in FIG. 1 but it should be understood that the actual number 
of mobile stations may be much larger in 'practice and will invariably, exceed the number c^base. stations. 
Moreover, while none of the mobile stations M1-M10 may : be found insome of the cells,C1-C10,the presence 
or absence of the mobile stations M1>M10 in.any particular :oneiof the cells G1-C10 should be understood to 
depend, in practice, on the individual desires of each of the mobile stations Ml -Ml Q.whc may. roam. from one 

w location in a cell to another or from one cell to an adjacentor neighboring cell; — . ; : . .» 

Each: of the. mobile stations M1-M10:is capable of initiating or>re.ceiving ^telephone call through. one or 
more of the tbase stations B1-B10 and a mobile switching center MSC. The mobile switching center MSC is 
connected by communications links, e.g. cables, to each of the illustrative base stations B1 r B;10 and to the fixed 
public switching telephone network (PSTN), not shown, ora similar fixed network which may include. anHnte- 

15 ■■ grated system digital network (ISDN) facility. The relevantxonnections between the mobile switching, center 
MSC and the base stations BT-B10, or between the mobile switching center MSCjand .the PSTN or ISDN, are 
not completely shown in FIG. 1 but are well known :to those of ordinary skill- in the art. Similarly, it is also : knpwn 
to include more thanvone mobile -switching center in a cellular radioisystem and to connect eacrv additional 
mobile switching center to a different group of base-stations and to; other mobile switching centers via cable or 

20 radio links. " * ^ ot- • - 

Each of the cells C1-C10 is allocated a plurality . of voice, or speech channels and atjeast or^e^ccess or 
control channel. The control channel is used to control or supervise the operation of mobile stations by means 
of information transmitted to and received from those, units. Such information may include incoming. call signals, 
outgoing call signals, page signals, page response signals,. location registration signals, vbice.channehassign- 

25 ments, maintenance instructions and "handofT instructions as a mobile station travels out of the radio .coverage 
of one cell and into the radio coverage of another cell. The control or voice channels may operate either in an 
analog or a digital mode or a combination thereof. In the digital mode,. analog signals,: such as voice onQTMF 
tone signals, are converted to digital signal representations prior to transmission over the RF channel. Purely 
••' data messages, such-as . 'those generated by computers or by digitized voice devices* may be, formatted and 

30 transmitted directly over a digital channel. . * c r • i *.i ; -.r^ • , 

Signals from more than one source must normally be sent over a single RF channel in a cellular radio sys- 
tem. The bandwidth of a channel available to.carry signals may be allocated by frequency, time, intervals or 
codes.* In frequency division multiplexing (FDM),the frequency spectrum represented. -by the available 
bandwidth of a channel is divided into smaller bandwidth portions and one of several sign ah sources is assigned 

35 to each portion. Another method for dividing the capacity of a channel among several separate signal sources 
is time division multiplexing (TDM). In a cellular radio system using TDM, a plurality; of digital channels may 
share a common RF channel. Th'e RF channel is divideddnto a series of- "time slots'?, each containing a burst 
of information from a different data source and separated by guard time from one ^another, and the time slots 
are grouped into "frames" as is well known in the^art. The number of time.slots per frame varies depending on 

40 the bandwidth of the digital channels sought to be accommodated by the RF channel. The frame may, for 
example, consist of three (3) time slots; each of -whrclvis allocated to a digital channel. Thus, the RF channel 

^ will accommodate three digital channels. In one embodiment of the present invention discussed herein, a frame 
' is designated to comprise three time slots. However, the teachings of the present invention: should be clearly 
understood to be equally applicable to a cellular radio system utilizing any number of time slots per frame. Furth- 

45 er, the teachings of the present invention are equally applicable to a cellular radio system utilizing frequency 
division multiplexing (FDM) or code division multiplexing (CDM). 

Mobile Station . ' J 

50 Referring next to FIG. 2, there is shown. therein a schematic block diagram of the mobile. station equipment 

which are 1 used in accordance with one embodiment of thepresent invention. The equipment illustrated in FIG. 
2 may be used for communication over digital channels.: A voice signal detected, by a microphone 100 and des- 
tined for transmission by the mobile station is provided.as inputto a speech coder 101 which conyertsthe analog 
voice- signal into a digital data bit stream. The data bit stream is -then divided into data packets or messages in 

55 accordance -with the time division multiple access (TDMA). technique of digital communications. A fast as- 
• . sociated control channel (FACCH) generator 102 exchanges control or supervisory^messages with a base sta- 
tion in the cellular radio system.. The conventional FACCH generator operates in a "blank and- burst", fash ion 
whereby a user frame of data is muted and the control message generated by, .the, FACCH generator 102 is 
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.. transmitted instead at a fast: rate. - ? - ■ - a , 

- rr. In contrast to the blank and burst operatwn:oHh^PACCH gensrafor lO^asJqw associate.d r contrpl channel 
.. (SACCH) ;ceneratpp t ip3i cp.gtjnupusJy^exchaRges^cpnfroK messages with,Jie bas f e station, the output of the 

SACCH generator Js assigned ;a fixed length byte^e r g. 12 bits^and inpluded as a part .of each tim§~s.|ot in the 
5 message train (frames). Channel coders 104, 105, 106 are connected toihe,speeGh coder 101, FACCH 
. generator 102 and SACGH generator. 103* respectively. Each, of the channel t cpders 104, 10$7l06 performs 
1 error detection' and recovery by manipulating jinccming data,. using the techniques of conyolutional encoding, 
r which protects important data bits in the speech Copland cyclic redundancyxheck (CRC),;Wherein the most 
: /significant bits in the, speech coder frame,, e^g., -12 ! bits, are used for computing a 7 bit error check. 
10 - Referring againjo FIG. : 2, ; ttie channel coders1 : 04, -105f are connected to a multiplexer 1.07, which is used „ 
r , for time division multiplexing of the.digitized voice messages ^ messages, the put- 

t put of,the»multlplexei; -1 07Js ; coupled to a 2-burst interieaver 1 08 which divide?; each .data message to r be f trans- 
mitted by the. mobile station (for exsmple^a, message containing 260 bits) Jntp, two equal but separate parts 
; .{each part containing 430 bits) arranged in twp consecutive time, slots.. ! n this manner, the deteriorative effects 
15 r of Rayleigh fad ing .may : ba significantly ; reduced. The -output of ;the 2-burst interieaver 108 is prpyided .as input 
to a modulp-2 adder 1Q9 where the data tp.be transmitted isxiphered on a bit-by-bit basis by logical modulo-2 
• addition with a pseudo-random keystream which^rnay be^generated in accordance .with the system described 
... ; jn the^co-pending U.S. patent application entitled "Encryption System for Digital Cellular Communications," re- 
.<io:ferred tc; above;, ■ . - t * . . . . . , - . r . . v . . ..... , . 

20 1 - . The output of the channel. coder. 106 1 is provided as input to a 22-purst interieaver .110. The 22^burst inter- 
/leaver .1 : 1 0 divides the SACQH data, into. 1% consecutive time slots, each occupjed by a byte consisting of 12 
bits of control information. The interleaved SACCH data forms one of the inputs to a burst generator 111. 
■ £ Another 4nput tp ; the burst generator 111; is provided by the output of the modulo-2 adder 109. The' burst 
< : w' generator -1 1 : 1 produces "message: ■bursts".6f data, each consisting of atime slot identifier (Tl), a digital verifi- 
25; J " cation color code (DVCC), control or supervisory information and the data to be transmitted, as further explained. 
- v ; belOW.. • - .... ■ :) : ; t :\ ., .. t - . f; ■ 

Transmitted in each of the time slots in a frame is a time slot identifier (Tl), which is used for time sjpt jden- 
: tification>andreceiver;synchrDnization s and a digital verifipationxolor code (DVCC), which ensures that the pro- 

- per.RF ; channel , is being decoded. In the exemplary frame of the present invention, a set of three different 28-bit 
30\vr iV TlS;is defined, one for, each time slot while an identical ,8-rbit DV.CC is transmitted in each of the three time slots. 

•;. ; . The Tl and DVCC are provided in. the mobile station, by a sync word/DVCC generator 112 connected to the 
burst generator 11 1 as shown in FIG. 2. The burst generator 111 combines the, outputs of the mpdulo-2 adder 
109, the 22-burst interieaver 110 and the sync word/DVCC generator 112 to produce a series of message 

- -bursts, each comprised of data (260 bits), SACCH information (12 bits), TI-(28 bits), coded DVCC {.12 bits) and 
35 12 delimiter bits for a total of 324 bits which may be integrated according to the time slot format specified by 

- ;:;nthe EIA/TIA JS-54. standard, >v .. 

- j - : . ,Each of the message bursts is transmitted in. one ; of the .three time slots included in a frame as discussed 
: t ^hereinabove, Jhe fc burs;* generator. 1.11 js connectedito an equalizer 113 which provides the timing-needed to 

synchronize the transmission cfone : time slot with the transmission of the other.two time slots. The equalizer 
40 , ; ^3 detects timing signals ; senyrom the, base.statipn (master|to the mobile station (slave) and synchronizes 
. t }the burst Generator 141 accord ingly.-.The equal izer 113 may,also he used fpr.checking the values of the li and 
the DVCC. The burst generator 1 1 1 is also connected to a 20ms frame counter 114 which is used to update a 
> rciphering-codethat is applied by .the mobile station, every 20ms, i.e., once for every transmitted frame. The 
v ciphering ;code ! is.generated by : a ciphering unit l.lS.with^the use ; of a mathematical algorithm, and gnder the 
45.. ^control of a key 116 which- is unique ;to each mobile. station; The algorithm may be used to generate a pseudo- 
. t ; >andom keystresm; in accordance. with the system described. in the co-pending U.S. patent application entitled 
v .- -"Encryption System fcr Pigital/CeHularComr^unicatipns*" 

•': ; ^ ( t : ;r- The;message;bursts produced; by the burst generator 110 are provided as input to an RF modulator 117. 
'■ ci-The RF.modulator .117 is used for modulating a carrier frequency according to the 71/4-DGPSK technique (rc/4 
500;. ^shifted, differentially encoded, quadrature phase shift key). The use of this.technique implies thatthe.information 
)j to be transmitted.by the-mobile station is differentially encoded, i.e., two bit symbols are transmitted as 4 poss- 
U r ; v« ibl.er.changes in.phase: + or : ^/4 and +,or - 3 n!4.. The carrier frequency for the selected transmitting .channel 
is supplied to the RF modulator 117 by a transmitting frequency synthesizer 118. The burst modulated carrier 
ci ir '-signal; output^ the RF mpdulatpr.1,17 is amplified by a power amplifier 119 and then transmitted to the base 
55 ji^ .station through an antenna 120, (M , 

-j'. ':The mobile station receives bvirst modulated H signais from the base, station through an antenna 121 con- 
-t nected, to. a. receiver 122.. A receiver carrier frequency for. the selected receiving cnanneljs generated by a re- 
. - ceiying frequency synthesizer 123-and supplied to a an RF demodulator 124. The RF demodulator 124 is used 
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to demodulate the received carrier signal into an intermediate frequency signal: The intermediate frequency 
Vr signalis" then* demodulated rurt her bylan tF demodulator 1 25 r which recovers -the original di§ital>infdmnation as 
it existed prior to n/4 : DQPSK modulation.- The digital Information is^then passied-trTrough the'equarrzer 143 to 
a symbol 'detector 1'26 which 5 cdnvert§ : the twd-bit symbol forrfTat 6f the 1 digita^data provided by the. equalizer 
5 * 114 to a^ingle'bit data stream.* "' no: " ,r - ■ 0 ' -" r> ' r " -i ^. ' ' ^ . : - i 

c The symbol detector ^'6 'produced two' distinct* outputs: a first output, cornprise^d of digitized speech' data 
and FACCH data! 'and a second output, Comprised of SACCH data. -The first output is supplied to -a 'tnodulo-2 
' adder 127 which is Connected 'to a r 2&Urst delnterleave? 128: 5 The' mbdulo^2 Sdder^TIs connected to the 
ciphering unit : 115 and is used to decipher* the ehcryjDted- transmitted d^a by subtracting; on & bit^by-bit basis 
10 ' v the same pseudo-random key'strearrfused by the transmitter' in the^base stationio encrypyfoe data. The mod- • 
1 ulo-2 adder T27 and the 2-burst deinterleaveyi 28 reconstruct the sp^ech/FACGH data by assernbling arid rear- 
: ranging information derived from 'two" consecutive frames of the digitaf data. The 2-burst deiftterieaver128 is 
ni "cbupled to two channel 'decoders 129, 130 which decode the convolution ally encoded speech/FAGCH tfata us- 
Ing the reverse process of coding £nd check' the cyclic -redundancy check (CRC) bits to determine if any^error 
15 : has occurred. The channel decoders 129;130 detect distinction s between the speech datferdn the one' hand, r < 
? ana" any FACCH data on the other, and route'tne speech data arid the FACCH data to ; 'a Speech' decoder 1 31 
and an FACCH detector 132, respectively. The r speedH decoder'l ^l processes' the speech data supplied by 
" ; the channel decoder 129 in accordance witti a speech coder algorithm,- e.g. VSELP, arid generates: an Analog 
signal representative of the speech signal transmitted by the base station and received by the mobile station. 
20 A filtering technique may then bemused tVenhance the qtfality- of ihe^analog signal prior to: broadcast by a^v 
speaker 133 Any FACCH rnessages detected by the FACCH detector^ 3£ are'forwarded fes a microprocessor 

134. ' ' " : 5 " • H ' ■ ' ■' ' ' : ~ " " ?L 

'The second output of the symbol detector 126 (SACCH data) is supplied to ia 22^burst deihterleaver 1 35. 
The 22-burst interleaver 1 35 : reassembles'ahd rearranges tfte SAGGH data ; which is spread over 22 consecutive 
25 frames. The output of the 22-bufst'deiriterleaiVer 135 is prbvided^s 'input to a -channel decoder-1 36:- SACCH ^ 
messages are detected by an SACCH detector 137 and the control information is transferred to the microp- 
rocessor^. \ . n *• " * m ■ .\>v 

' The ^microprocessor 134 controls the activities of the mobile s'fotionadd -communications between the 
:| mobVie'station and the base station. Decisions are made by the microprocessor 134 m accordance with mes- 
30 sages rec'eived from the base ^ station'and measurements performed i by the mobile- station. Thernicroprocessor 
134 is also provided with a'terminal keyboard input "and display output unit43B. The keyboard and display unit 
"138 allocs the mobile station user to exchange information with the base station. 1 *■ 

. : -v . o; .. ' ■• 'r 3. y ■ ■ y • . ,« % o_ 

Base Station e v ' ">:v.v . . .7.., ■..•>:•- ■ , 

35 ■ ■ " > ■ - , ^ 

Referring next to FIG. 3, there is shown a schematic block diagram of the 'base station -equipment which 
are' used in accordance with one embodiment of the present inventiomA comparison^ the mobile station equip- 
ment shown in FIG. 2-with the base station equiprneritsVfownlin FIG; 3 dembhstr^te&thfct much of the equipment 
used* by the mobile station and the base station are substantially- id enticsil in *c6hsti^ction-and^funCtion. ^Such 
40 identical equipmentare ( for the sake of converi ien6ean"d cdhsistency, designated with-the'same refeni'nce^num- 
* erals' in FIG. 3 as those used in connection with FIG.2,-but are'differentisited by the addition of a-pHrrW^') in 

- f'ig. 3. ■' " - : ^ ? ^ , ^; --- % v:;- 

There are, however; some minor differences between^the mofcile station arid -the base statroh equipfnent. 
For rnstahce, the base station has, not just one buti twb : receiving 'antennas 121<, Associated with each of the 
45 receiving antennas 121 ' are a receiver 1 22', ah RF demodulator 1 24% and a hlFdefr>bdulator425'. 'Furthermore, 1 
the base station includes a programmable frequency cbmrifher f'18A' : which is connected to a transmitting fre- 
quency synthesizer 1 1 8'. The frequency combiner^ 1 8A' and trie transmitting frequency synthesizer 11 8^ carry 
out the selection of the RF channels to be used by the base statiort according 1 to the applfcable celJular frequency 
' reuse plan. The base station, however, does not include a useY keyboard and-display unit similar -to the' user 
50 keyboard and display unit 138 present in the mobile station. It does hbwBvei ihcfcirfe asignatievel m&eV 100' 
connected to measure the signal received from each of the two receivers i22 ,r £nd to provide an output to the 
micrdprocessor 134\ Other differences in equipment between the rhobile v station the>base station may exist 
which are well known in the art. ** '" v T t " J ! ' ■ '* 1 * '" c - ^ 

Having described an operating environment consisting of a cellular radio network inctubirig mobilerstations 
55 and base stations, the verification and validation system of the present invention- wilKbe set fbrth^below- in detail. 
" 1 ; Unless the context otherwise requires, 'the term ^network^'as used hereinafter includes a s'ingfe base station 
having a limited radio coverage area and associated with an- exchange "in a cellular radio communldatidhs sys- 
tem. Hence, the term "hdme network" as used hereinafter includes s a base station associated with the" home 
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exchange while the term , Vjsitedjietwprk H as used thereinafter includes a base station associated with the visited 
exchange. \ , ., 0 . .. r ; v .., . ^ 

Authentication t >, » ^ ; -,. . • i( , rv . 

5 

Referring now to FIG. 4, a pictorial representation of an authentication system having a plurality of inputs 
applied to an algorithm ; and a ; plurality ,of. outputs generated by. the algorithm may now be seen. The^depiction 
in FIG. 4 will form tha u basis for tiie f eps^ing,di^pussi j on ; pf both unijate.^al and bilateral authentication which, for 
convenience ^and/sjmpjicity, are assumed- tp 'be executed , by p the v authentication system with the use of one 

10 authentication algorithm referred to herein after^as AMT^- In other words, it is assumed for purposes of the fol- 
lowing discussion that the same authentication^ algorithm (AUTH} is used in generating the outputs needed for 
unilateral and bilateral authentication. Conceivably,, a. different algorithm may r be used for unilateral authenti- 
cation than for bilateral authentication so long as the same unilateral and bilateral authentication algorithms 
are used by both the mobile station and the network. The particular choice and specific details of the. authen- 

15 tication algorithm(s), however, are not critical aspects of the present invention and reference is hereby made 
to U.S. Patent Applicatign.Serial Ng. 0.7/556,890, entitled "Authentication System, For Digital Cellular Communi- 
cations", which sets forth an exemplary authentication , algorithm, as necessary or useful for a more complete 
. understanding of the present invention. ; v . : ... . . v . . ;o 

20 Unilateral Authentication , .■■ ■- , ,. . , 

, f To perform the process of unitateraj, authentication, the network determines and broadcasts to the mobile 
. . station a E random challenge number ("BAND") contained, for example, in a random challenge global action mes- 
. .sage periodically appended to the ? overhead, message train,. The, mobile station stores the value of the RAND 

25 , in memory: and identifies, itself .to the. network by : .sending a mobile .identification number (MIN) derived, for 
example, from the. mobile station'^ Ip-digit^directo^ telephone number (area : code and telephone number), so 
that f the : network ; can retrieve information pertaining to that. particular mobile station, e. g., security keys, from 
the location or database in which they are stored. The mobile station and the network each uses bits of the 
RAND, a permanent authentication key (A-key), which is a secret key known only to the mobile station and the 

30 network and preferably never transmitted over the air interface, and other inputs including, for. example, the 
factory-set electronic serial number (ESN) which uniquely identifies the mobile station, and, possibly also, the 
MIN of, the mobile: station, to compute .both a, response .(RESP) to the RAND and a short-term or temporary 
encryption key (S-key or call variable} in accordance ,with a preselected authentication algorithm (AUTH). The 

-RESP- generated at the mobile..siation is transmitted t to the network where,, itis compared with the internaily-gen- 

35 erated, yersiqn and, if a match js found, ,the network may grant the mobile station, access for registration or in- 
itiation or reception of a call.. The, S-keyxan be used ta t encipher subsequent calls placed to or from the mobile 
station.- t . . , 



40 



RAND 



> The RAND used r for,uni|ateral authenticat!on.;(discussed above) is a " global" RAND which is determined 
by, for example, the visited network and sent to all mobile stations in the coverage area of the visited network. 
By contrast, the RAND used for bilateral authentication is discussed below) is a "mobile-specific" RAND which 
is determined by, for example, the home network and sent to a particular mobile station in the coverage area 
45 of a visited network. The specific choices between global and mobile-specific, and between home network and 
visited netwprk, RANDs rpade herein are-for illustration purposes. only and are not intended as a limitation on 

• {he presentinyentipn. Similarly, ^particular type of communications channel, e. g., voice or control, used for 
r ,transmitting. : the f RAND to,the -mobile.. station is an implementation issue for network operators. It will be ap- 

, /precjated ^y those of ordinary skill,. in the art, however, that the common control channel is especially suited 
so ion^Jobal R^Npjransmission; while,. the mobile-specific RAND may be advantageously transmitted over the 
n -vpjce,or speech channel. , r . . .... ... , ; 

,:rf Hi ^ .if ( . . . < 7-5 . ... • . , 

,. r , : Secret Keys Management ■ , 

55 Another implementation issue for network operators is secret keys management. Secret keys, such as the 

• >A-key (and . the B-key discussed below), must be stored in a convenient location from which they can be readily 
. accessed. Jhe.pa£icu!ar network location selected for storage of the secret keys has certain operational rami- 

, ficatipns which are.not of, immediate significance to the present invention. It should be noted, however, that 
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"inter-netv/oric communications are simplified ancisecurity is enhanced if the" secret keys, e:g M the A-key (and 
the B-key), are stored in the home network, or at least in a location under the control of the home network, so 
that only security variables, e.g., S-key, are transmitted between the home network and a visited network. In 
parts of the remaining discussion, it is assumed that the secret keys are stored in, or controlled by, the home 
5 network of the mobile station. ^ 

: "' The issue of secretkeys hSanagementarisesIn connect as well. The mobilesta- 

1 tion may, for example, store all the secret keys, e.gVA-key and B-key, J iri an internal 1 memory device'. Alterna- 
tively, each mobile subscriber may cahy a subscriber identity m : ddgie\Slfvi)/e.g';;''smart card, which bontains 
the secret keys and which may be coririected to tRe jmobile station 7 memory. In some' applications, the mobile 
10 station may store one of the secret keys in internal mem'dry arid'the'othef key may be stored in the SIM. It should 
: ~ be clearly understood that the question of secret keys management whether as to the network or the mobile 
station, is ancillary to the present invention a's set forth herein.- 1 v ' < 

Location of AutH ' '\ •■. 

is ^ ' ' : _ ; v ' ;V ; ' ^ ' / J 

' L Yet another implementation issue for network operators is the network 'location : for execution of AUTH. If 
AUTH is executed in the home network; the visited network rriust transmit at leas^ MIN arid global RAND to the 
home network in order to receive the RESP and S-key. On the other hand; if AUTH is executed in the visited 
network, that network must transmit at least MIN to the home network and the home network must, in turn, trans- 

20 mit to the visited network the A-key, the ESN (if ESN is used in AUTH) and the permanent encryption "key (if 
different from the A-key). 

From a security standpoint, however, it is ; undesirable for the home network to release a subscriber's per- 
manent security key merely on i de man d'by a visited network. Such keys should constitute the subscriber's long- 
term security guarantee rather than a short-term call 'variable; It is, therefore, more desirable 'that' the home 
25 network, upon receiving from trie visited network the MIN of a visiting mobile station, the RAND broadcast by 
the visited network arid the RESP received r by the visited network from'the iTK)bile station/ generate a short-term 
(temporary) ciphering key (S-key or call variable)' arid release r the S-keylo the visited network only itthVRfeSP 
is deemed to be valid;' ' i: . : * ' " " ' '"' * :; 

30 Call Variable or S-key * : ' : ' ' :> ' 

Execution of the authentication algorithm in the home network allows the authentication' algorithm (AUTH) 
to safely use the long-term (permanent) secret keyi referred to herein as the A-key, which is unique to each 
mobile station. The A-key is' preferably never released outside the home network r an f d never used 'directly for 
35 enciphering but is, instead, used for generating a short-term encryption' key, referred to herein as v the S^key. 
' The S-key is used' only for a limited period of time to be^determiried by the cellular operator If, for example, 
the visited network has already acquired an S-key for a previously registered visiting (roaming) mobile station, 
performance of authentication is optional and call set-up may proceed directly to the enciphered traffic channel. 
Hence, it is not necessary for inter-network exchanges to take place every time a visiting mobile station places 
40 a call. If, on the other hand, the visited network decides to request an authentication, the mobile station and 
the home network will use* the current RAND of the visited 'network 'to geriWate a new^ S-key, other inputs to 
r the^ AUTH algorithm being unchanged. ' 1 ' '- f ' ' " ^ 

Rolling Key or B-Key - ; v ' ^ ; r - ; - 

A valid mobile station may be borrowed, stolen oV legally acquired and its^entire memory contents may be 
copied, including its ESN, secret keys, e:g., A-key, etc.; and' used to manufacture a number of fcl ones -which 
produce authentication responses which are identical to those of the valid mobile station/The cloning! procedure 
' may be quite sophisticated and may include software modifications' which repl ace physically stored ESN irifor- 
50 matiorr with electronically stored information so that a number of sfored'mobife station identities may' ^'cycli- 
cally rotated (tumbled) within one false mobile station and used to imitate several genuine mobile stations. The 
authentication system of FIG. 4 provides an anti-cloning safeguard based on a dynamic, i.e., changeable, "rol- 
ling key" which is stored in each of the home network and the mobile station and which is used aloVig With' the 
permanent secret key (A-key) for calculating authentication responses, temporary encryption keys and new rol- 
55 ling keys. ' :: r " ' " : • ■ ■■ " 0: ' ' - 

The principle behind the roiling/key concept is to require certain histoficarinformation in each of the network 
and the mobile station to match as a means of protection against clones ano as an alternative to requiring com- 
plex and expensive physical protection of mobile station memories. Specifically, in order for a done mobile sta- 
ll 



3NSDOCID: <EP 0506637 A 2_ I.. > 



• . ft 



EP 0;506 637 (A2 

tion tc'gainaccess to" the network; the clone would be required ;to intercepyhe entire history of authentication 
challenges subsequent to the time^of copying the then currently state of a genuine mobile station. Because 
each authentication may change the value of the rolling key (B-key), the key-dependent responses generated 
by a valid and a clone mobile station, which have identical memory contents, e.g., A-key and B-key, at the time 

5 of copying but different authentication histories, e.g., B-keys, at some future point, will begin to diverge from 
• each other arid from the responses internally generated by the netyvork thereby alerting the networkto the exist- 
ence of the clone. In -the absence of a rolling key, a dene which has s cppied. the A-key will always, produce the 
same response" as the valid mobile i station and may thus escape detection. . . . , 
* r 'Consistent witruTYs present. invention j authentication may be carried out in the home network using a com- 

10 binatioh of a rolling key,- referred to herein; as;-the;;B-key, which contains historical information, and the perma- 
nent mobile subscriber key (A-key), 'which is never used.alone in AUJH but is used only for generating one or 
more operating keys, e.g., S-keys and B-keys.! JhetAUTH computes a ; new value for the rolling, key which be- 
comes the current value of the rolling key .whenever the.rnobjie station andthe home^network agree on an up- 
-date.- Such an update may be triggered, for example, by a request from the visited network or the home network 

15 for execution of a- bilateral authentication procedure .as further ; .described below . • - . 

> Bilateral Authentication - " ■ - r « ; .r>. ■ 

Bilateral authentication, i.e., authentication of both the mobile station and the network, may be distinguished 
20 from unilateral authentication in that the authentication information sent in -both directions is key-dependent in 
the^orrneri'whereas oniy the information. sent in the direction mobile station to network is key-dependent in the 
r -latter. According to FIG. 4; the RAND is used as an input to AUTH which generates a long response comprised 
■< .of a RESP and s RESPBIS. The RESP issentby-the mobile station-to the network to validate the mobile station 
-and the RESPBIS is sent from. the: network to the mobile station to .validate the network. The network transits 
25 f:to the-rnobile^aiion an^authentication^orcter or message which includes the. RAND and the RESPBIS.. The 

- - mobileJ station; usesrthe RAND: to. compute-a RESP.and a RESPBIS in accordance with the AUTH and sends 

> ->ths internal!y:generstediRESP:to'the network only ifitha internally generated, RESPBIS matches the RESPBIS 
-"received from-the networks Otherwise, h e./tf the internally generated RESPBIS does not match the RESPBIS 
" received 'from the network, the mobile statich does not send.the RESP to the network, but sends, instead, a 

30 • confirmation or anacknowlsdgement (AGK) of receipt of. the authentication order from the network. This pre- 
vents a false base station from extracting RAND, RESP pairs from the mobile station and the verification of 
the mobile station and network identities allows security status updating to proceed at a convenient later point 
in relative safety. ; , 

- - - - - - The primary and dual functions of bilateral authentication are to trigger a rolling-key (B-key) update in both 

35 '* " the mobile station and the home network while; at the sarne time, validating them to each other and, thus, pre- 
ventin'g^certain forms offatee'base station, attacks: on the security of the system. The former function, i.e., B-key 
< update; m&y be separated from the totter, function, ;i.e., reciprocal validation, by the use of a B-key step flag 
which- nay; for example; be sent from-the network to the mobile station. The- B-key step flag allows the network 
: operator to selectively control,. elg., enable, on disable, the updating of the-B-key (and S-key) end may consist, 
40 K( - for example, of a designated iSinary bit.(1iQi*0 value) contained irvthe authentication, ordr»r.or message. A new 
i fS-key fdi the next call and a new B-key for thai next authentication are calculated by the mobile station .only if 
^ "■ the internally generated RESPBIS 'matches the RESPBJS received from the network and the B-key step flag 

- is active, Le./vaiuesecto i. If the B-key step flag is inactive, i.e., value settoO v the current.B^key is saved and 
used for the next authentication and the current S-key is saved and used to cipher the next call. 

45 -'- In a typical bilaier&l authentication, the. RAND value ^determined by ; the home network and sent along-. 
1 -with a'RESPBIS iothe visited network and, therefrom; to the mobile station. If the mobile station validates the 
RESPBIS, the.mobile-rsfcation will send a RESP.to the visited netyvork which sends the. RESP to the home net- 
: - ■ work for validation/The home-hetwor'; compares ihe RESPreceived from the visited network with the internally 
• ' ^generated RESP and' informs the visited network of the result. If the home, network validates the RESP, the 
so<* vvisited.hetwork will grant access to the^ mobile station. Further, if. encryption is desired and the B-key step flag 
3- is active, the home network wil! i send^to the visited.network a new S-key which nay be usod to encipher the 
next ca;k 1 • •':•«; ' ' •• ' ' ' . •■, •• ; -y 

\< - .;, Alternatively, and to minimizeinter-netv.'crk communications in the performance of bilateral authentication, 
the home network may initially send not only the R^ND and RESPBIS, but also the F?.ESR and S-key to the 
55'-- visited networkvVhich may.then use the RESP and S-key received from the home network to.^spectively, vali- 
' - date the* RESP received from rh<r:mcbile station and encipher subsequent calls where encryption is.desired. 
' in addition, the home ne.work .nay send a plurality of successive sets of RAND, RESP, RESPBIS, S-key and 
B^key step flag values to the visited network for use in a plurality of successive authentications. As discussed 
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previously; however, it is m'ore 'fesirable^frdrrr 'a'J security standpoint, that the; home network release the S-I^ey 
only after, and not before, the RESFhas been validated by the home network. - : ... L . . ^ - 

Call Counter ; * ■ " ;- j * -*■ " r:,c •> ■ ,> ; , % . 

In addition to an authentication systerhTor performing unilateral and bilateral authentication, the hprne.net- 
work and the mobile station may include a 'call counter for tracking calls to ano%from4he mobile station. Unlike 
the authentication system which is aimed at controlling fraud, the call counter is directed-to monitoring or super- 
vising the fraudulent use of network services. The call counterun the mobHe,station ; may be updatedor incre- 

10 mented upon receipt of a call counter ^ufkiate message transmitted from the ^network: to the mobile station. 
1 Similarly, the current value of the call coi/nter in the mobile station may/he se/ntto the network in a call.counter 
retrieval message upon i receipt of a request firoim the^etwork: ':• ■ --^ . : 

to monitor fraudulent use, the network maV compare the. current value of the call counter received from 
the mobile station with the current value of^tfte- call countenn the network. Moreover, by .examining the*des- 

15 cription and the sequence or logical progression of ca Us appearing in ambbile subscriber's:bill, the mobile sub- 
scriber may be alerted to the existence of a fraudulent user which has, for example, stolen the MIN/ESN 
belonging to that mobile subscriber. In this respect, the call counter may be regarded as an independent fraud 
supervision means, distinct from the authentication system. There is no inherent linkage between the authen- 
tication messages and the 1 call ^counter fnessages. The call counter, however, may be updated at the same time 

20 as the rolling key as illustrated- below. ■ Ti - :n, ■; .v',-;F vj^i : - - 

The rolling key update may be performed at anytime. during a conversation that the visited ne.twork decides 
to update the call counter in the home 5 network and thernobile station. Before updatinglts caU counter*, the home 
network may request a bilateral authentication of *he mobile; station. A cbrtSect response from the mobile station 
would then result in a call counter update, a roiling key update and.' the generationofea new Conversation key 

25 1 (S-key) which is sent to trie visited network for use- in subsequent calls; Similarly; the mobile;station may update 
"its call counter only if the bilateral authenticatibn procedure verifies) that the -visited network is in genuine contact 
with the home network. UpofrveTificatio'rC the mobile^station also updates its call: -counter. andr. tolling key (Brkey) 
and generates a new conversation key (S-key) for uSeMn subsequent calls: It may ib© appretya ted : thafc. where 
r thecall counter and'the rolling "key are" updated at the same time^.a checkof the mobile station and the jiome 

30 -network call counters may arso serveas an 'indication of whetherthe.rnobile station aad borne networkare in ^ 
the same rolling key state. * r — ' -1 £ • ■• > r 

Relationship Between Encryption and Authentication \~ ■ r-. 

35 ■ * - when enciphering of communication is desired in a visited network th eic iphering key s must b& communicated 
"from the hbme^ network to the visited network: As- me ntioned;rieretof ore, ifcis highly^undesirable for the secret 
subscriber A-keys to circulate between networks on non-speciaily projected links. Preferably, thfthorae network 
never- releases the A-key of a given subscriber but only uses the A4cey. ta generate a teir^orary talk variable 
,j (S-key) which is then used for^en ciphering a particular call or group of calls. The S-key isiealculatedtand sent 

40 from the'hbme network to the visited network upon receiving at MINI, a RAND ancfca RESP which are deemed 
valid. Since the S-key is calculated at the same time and by the:same pwicess as the RESP, successfu|authen- 
tication generally ensures that the network and themobile^station wMMnave thaisame encipheriag key (Srkey) 
arid, consequently, the enciphering of traffic or user-data may <begin as soon as authentication has been com- 
pleted. * U " ' ^ : -t , : MfL -ir-' o r . , -on ( 

-■45 ' To illustrate the relationship between encryption and adthenticatioh, assume:that.enccyption is.enabled for . 
a mobile station served by a visited network. The visited^ network periodically ^roadjcasts a/n^w RAND value 
to'all mobile stations within its service 1 area. Each of the mobife stations; cbmputes-.a response (RESR) which 
is sent along with MIN and! possibly, a call history parameter COUNT toibe-wisited network. The visited network 
r sends the current RAND vaiue'along with the>MIN and RESP ! feceived from aparticular moJbile station to, and 
so' ' : * requests thVenciphering key (S-k'ey) from, the mobile station's* home networic Th& home .network reofnpares- 
the received RESP with the response it has obtained byvapplying RAND/- A-key, B-key and ESN, for example, 
to AUTH and determines whether the mobile station is genuine whereupon the home network releases the tenv 
! porary enciphering key ( S -key ) to the visited network.: |f;the;visited network: does^nofrreceive an etnciphering 
key, the visited network may deny service to the mobile station. - : ^ ■ ; / .r, - ^ 

55 ' ^lf the vislted network grants access and-assigns a TDMA^channebto'thje mpbile statian^the parameters^ 
defining that channel, i.e., frequency, times laSand DVCC, are sent from theVisrted network to. thfe, mo bile station 
which tunes to the 'allocated 'traffic channel. Thereafter, the visited network and the mobile station mayraom- 
' muriicate in the enciphered mode using the S-key. The visited network.may send its frame ^counter vaiuerover 
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. the unencrypted, SAGCH and may also send frame count synchronization messages in a number, : of FACCH 
^messages as ; descrjbed in- t the co-pending patent application entitled "Continuous Cipher Synchronization for 
" Cellular .Communication System'^^efqrred . to above, further exchanges of : . FACCH signalling. or traffic take 
; , place in the.enciphereo^mod^. r : . : ->:i K . t * - ; Si • ;■: .- 

5 , Qnce the mobile -station and the.yi?jted/.network haya established communication on th^ traffic } channel, 
the. visitep 1 network may, at any time, request the execution of bjjateral .authentication and rolling key and call 
counter update : by sending to th£ mobile, station^ RAND and a RESFfBIS received from the home network and 
.activating the B-key^tep flag. The mobile station uses the RAND, ESN, A-\ey and B-key in AUTH to generate 
the expected RESP and RESPBIS. IF the internally generated RESPBIS agrees with the received RESPBIS, 
10 the mobile station sends the RESP to the visited network. Theyisited network sends RESP to the home network 
andfJf the home .network's internally generated RESP agrees with the received RESP, a newly calculated call 
variable or S-key may be sent from the home network to the visited network. The visited network stores the 
new S-key for use in future calls involving t^e visiting mobile station. The present call continues to be enciphered 
with the old S-key. Upon handover or call termination, the new S-key may come into use. 

15 . 1 :•; 

Asynchronism of Rolling Key orB-Key ; , v ■ - 

Authentication ,of a valid (npn -fraudulent) mobile station, in accordance with FIG. ,4 requires that the same 
nB-key in put, be. used by both the mpbile statiqn J: and the network to generate the corresponding values of the 
20 ; . i ; RES R . For a variety of reasons, however, the ; B-(sey used bylhe valid mobile station may fall out of synchrpni- 
] zation with the B-key used by the network. In the execution of bilateral authentication, for example, the RAND 
. and^RES.ffBIS generated by the network may be lost during transmission and never received by? the mobile 
^station which, therefore, fails to perform a B-key update. Furthermore, because the B-key, unlike the A-key, is 
t ,not fixed pr hardwired/' but isjnstead a changeable content of an electronic circuit, a variety of hardware-re- 
25 lated problems, such as electromagnetic interference, switch failure, etc.,. may damage or completely destroy 
the . value of the 3-key in either the mobile station or the network leading to a loss.of B-key synchronization 
I between therry, ^ * . - .:' . ■ 

yVhere technical d iff iculties cause asynchronization of the B-key between the mobile station and the net- 
work, t(i^.RESP;.of a valid mobile station will not match the RESP generated by the network and the authenti- 
30 cation will fail even though the mobile station is not fraudulent. A mechanism^, therefore, needed to distinguish 
between a fraudulent mobile station and, for example, a valid but malfunctioning mobile station or, .more gen- 
erally, a valid mobile-station using a B-key which, for one reason or another, has deviated from the B-key used 
by the network in the authentication of the mobile station. • r.\ t 

35 Partitioning of REjSP ; . 

.Referring now ; to.FIG. 5 ^an authentication system constructed in accordance with the present invention 
rnay ; now be seen. The inputs^ and outputs from the authentication system of FIG. 5 are similar to those of 
. the aL]thentication.system,pictured^n FIG. ^ except that, uniike:the response in FIG. 4;which is depepdenton 
40 both_the A-key and. the B-key (and the other inputs, if any),,tne response in FIG. 5 has been djvided into a first 
; response, portion RESP-A, which ; is ( dependent on the-fixed A-key (and the.other inputs, ifany)-but not the 
. .changeable B-key, and a sr.cond^resppnse^ortion RESP-AB, which is dependent on the B-key but not the A-key 
or, preferably, on both the A-key and the B-key (and the other inputs, if any). The RESPrA and,RESP-AB may 
be sent in the form of discrete responses from the mobile station to the network or may be combined, e.g., mul- 
45 tiplexed in a multiplexer 200, to form the total response (RESP) which is sent from the mobile station to the 
network. In either event, since RESP-A is independent of the B-key, the network can authenticate a valid mobile 
station even if the Brkey usedjby the valid mobile station has fallen out.of synchronization with the B-key used 
by tfoe^netwprk. jnjsuch instance^although the RESP-AB transmitted by the mobile station will not match the 
RESP-ABHnternally .generated by .the network, there will, nevertheless, be a match of the RESP-A and the 
so 0 . authentication^!!^ . 

1 - ; , > Theyirtues of the present invention may be further illustrated by considering the authentication possibilities 
.rin-the absence ti and then preser-ce^ the present invention. Without the present invention, the comparison^of 
, t responses by^the .network will produce either, a fulj match or a total mismatch (no-match). In the case<of a valid 
: mobile station .usfing a damaged; malfunctioning^or otherwise unsynchronized B- key, the comparison pf.res- 
55 , ponses by the network will yiejd s no-match and may result in denjal of service to the valicj mobile station .since 
the network- can not (distinguish be^een.a malfunctioning valid mobile station and a fraudulent mobile station 
using, for example, ESN tumbling. With the present invention, however, there is the additional possibility- of rec- 
ognizing a partial (RESP-A) match. between the responses compared by the network where B-key asynchroni- 
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"zation has occurred. Moreover, the present invention allows the network to distihguish-between traditional 
! fraudulent users which rely; for example; on" the tumbling ofMIN/ESN or similar riori-cloning techniques^aYid 
produce no^atch responses, and advanced fraudulent users^r clones which rely', instead, oh the copying of 
the memory contents, including the A-key and B-key, of a valid mobile station and produce partial- match or full 
5 matcfi J responses. In effect, the authentication-system' of the present invention provides either'a full authenti- 
cation or a partial or limited authentication of the mobile station; The possible outcomes for the comparison of 
responses according to the present invention and some typical reasons (sources) there for are listed 'below: 

1. No-match: a'frauduient mobile station^usihg ESN tumbling or other non-clonirig fraudulent techniques. 
ZPartial match: v • ' f «' - 'r' * - ; r 

10 - (a) a vMlid mobile station using a damaged, malfunctioning or otherwise unsynchrohized B-key? 

' J ' ; c ' (b) a clone after the valid mobile'station has performed a B-key update (through bilateral authentication, 
1 • ' for exam pie). " : ■ • 1 \ "* ■ r:. 

-V (c) a valid mdbile station after a clone-has performed a B-key Update. "* 
3.Full match: * ' - ' ■ 

15 (a) a valid mobile station using a synchronized B-key. 

(b) a clone where no B-key updating has theretofore been perfonriedr ' : . 

(c) a clone where the B-key of the valid mobile station has not been updated since the cloning process. 
■ v As will be understood from the above listing and prior discussion, byicoiftpartrig the RESP-A portion of the 

response (RESP), the network can distinguish between a" valid mobile station and a non-cl6he'(feSN tumbling, 
20 etc.) fraudulent user even where the B-key is out of synchronization. In addition, by compairirig the 'RESP-AB 
portion of the response, the network can detect thSt-a clone exists and take corrective action as necessary. It 
should also be clear from the foregoing thaf RESP-A and RESP-AB may be calculated in" various ways and 
later combined to form the composite RESP in accordance with the the" operation of me'presenfMriVeritibh so 
long as RESP-A is independent of the B-key and both the RESP-A and RESP-AB portions of RESP are iden- 
25 tifiable or may be ascertained from the RESP. Preferably, however,- the constituent bits of RESP-A are' -hot 
r mathematically combined, e.g., X-ORed, to the constituent bits of RESP-AB-, but are simply appended brrhul- 
tiplexed together to form the RESP which may then be demultiplexed to recover RESP-A arid' RESP-AB. 
Moreover, the specific-pro portions of RESP-A and RESP-AB contained in the RESP may be varied to^iccom- 
modate a particular message length and format Thus, for example, the RESP may^onsist of any one of the 
30 following illustrative combinations:- ...... '.-...i ^ l > \;— -'ovt;-: 

- 1. All of RESP-A and all of RESP-AB/ ■ i. p,j- .. . ■-.■.] 

2. One half of RESP-A and one half bf RESP-AB. V" o;^: . ; , : f . • 

3. X% of RESP-A and Y% of RESP-AB where X, Y is any number between 0 and 100.-' '^'<'-> ' ^ 

It will be readily appreciated by those of ordinary skill in the art that the authentication system of the present 
35 invention, including the A-key dependent RESP-A output and the B-key (and, preferably als'd - A-ke^) ; de!pertdent 
RESP-AB output, may be used for authentication on the analog control channel (ACC), the analog voice chan- 
' hel (AVC) and/or trie digital traffic channel (DTC) at call set-up, mdbile registration or during conversation and 
' with or without encryption. Jt will be further appreciated that the A-key and B-key dependency 6f the-bther out- 
puts of the authentication system, e.g., RESPBIS, S-key and B-key, mayafso be manipulated "to effebt the goals 
40 of the network operator. By way of illustration^ -only, the RESPBIS 1 may be^ma'de dependent on the A-key only 
thereby allowing the successful authentication Of a valid base station despite B-key asyhchrohizatibff/The S- 
key, on the other hand, may be dependent on both the ; A-key and B-key while tfignew valtie^of-the B^key may 
be dependent on the current • value of. the B^key. ! t • ' . 1 • 1 ■ - 

45 Exemplary AUTH • ' - ; ; < ■ - * r - " f- : >±rt .«'.-» -• r« . *>:." 

Described below is an exemplary authentication algorith'm which may 'be used to implemeritthe teachings 
of the present invention eia'set forth hereinabove.4t should be emphasized that, &s 'pointed out previously; a 
variety of authentication algorithms may be used for this purpose and the parti(^lar algorithm AUTH illustrated 
so and discussed below is only one of a' great many'i In the description whicH'fGHowsr certalrt ? byte' counts have 
' beeri'chosen for certain input and output variables of the AUTH. It should be 'clearly understood, however, that 
such byte counts are exemplary only and'-are not intended and shbuld riot tie construed Ss Vlimitatibn dn the 
igenerahuse or applicability of AUTH. For example, the bit or byte lengths bfRESP, RESPBIS- and even'RAI^ID 
may change depending-on which channeh'e. g-.-, analog controPchahnel (ACG), ; analbg vdice channel '(Av'C), 
55 digital control channel (DCC) or digital traffic channel (DTC); is selected for trie' frerformanoe'of unilateral or 
bilateral autrte'htfeation. Such variations' can be- readily accommodated-'by the exemplary AUTH ''discussed 
hereinafter. : 4 :i . . 'f - -in;.-;- ■» h:s 

1 'The exemplary AUTH uses a total of 32 bytes of inputvariables and generates 32 bytes ofoutput yariabJes. 
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This is achieved by two applications of an algorithm which uses 16 bytes of input variables and generates 16 
■bytes of output variables; The' input' variables are: * .■ . ^i*-^ a •,* 

RAND: Provision is made for up to4 bytes ■ J NON-SECRETS: . r ... .or.' ' h.' v 

ESN: Provision is made* for up% 4 bytes ] • . . ~ ■ c ' e •:. \ ■ : : , 

-VARIABLES " " '■ '■ - ' '• 



Ka: 12 bytes of the permanent key (A-key) ] SECRET 
Kb: v: ; 12 bytes of the rolling key(B-key) ] 

VARIABLES ' ^ - > ••: ' . ; - 



• The 32 output bytes' are designated, for use as follows: 

0-3 : Authentication response (RESR) ■ 

15 4-7 ■ — : RESPBIS (needed for bilateral' authentication) . ^ fl 

8-12 : Informatibn mask (if used) i • -A : r:: , ;r\, . .i f - 

13-23 • : Next Kb (if key update occurs) , . ' o < . 

24-31 : Talk' variable for enciphering call (S-key)- j .•• 

The 32 b^tes of input to the-algorithm are split into groups of 16 bytes, which ,are then used in the first ap- 
20 plication of the Algorithm to produce a first 16 bytes of output (bytes 0-15). The 32 bytes of input are then split 

in a different way^and used in the second application of the algorithm to produce a second 1 6 bytes of output 

(bytes 16-31). ' • • • ^ ■ • ..: '- * :■■■>• : .. ^ 

The algorithm is adapted for very efficient and-fast execution orKsimple microprocessors of the type used 

in cellular radio telephones. Recursive use of a. small' inner code loop serves to confine the code within a 100- 
25 byte region. The outer loop consists of iteratively executing a mixing process six times. The mixing process is 

illustrated in FIG. 6.- - • ; • 

Referring now to FIG. 6, there is shown therein a schematic block diagram of the mixing processused in 

the exemplary authentication algorithm for the present invention. The mixing process 300 is provided with a 

first input of 16 key bytes and a second input of 16 input bytes. The 16 input bytes : to the first iteration consist 
30 of the 4 bytes of ESN, 4 bytes of RAND and the 8 rolling key bytes Kb(0-7), in the following order: ' 

ESN 4 bytes : 

RAND 4 bytes 

- Kb(1) -ic- ■< < : : 

- - Kb(2) : >' *i ■ *' ;; - - , 

35 Kb(3) " .■ ,!. . 

■ >Kb(4) 

Kb(5) - - 

Kb(6) 

Kb(7) 

40- Kb(0) - • " • ' 

The 16 key bytes which are provided as input to each iteration of the mixing process are a cyclic selection 
- from the 8 rolling' key bytes Kb(0-7) and the 16 permanent key bytes Ka(0-15). In the-first. application of the 
algorithm, the order of use of the 16 key rbytes may be as follows: 



: Iteration nv^y Kev bvtes usefl 

1 Ka(0) ---> Ka(15) 

2 Kb(0) — > Kb(7); Ka(0) ---> Ka(7) 
" 3 Ka(8) ---> Ka(15); Kb(0) — >Kb(7) 

4 ' Kb(4) — > Kb(7); Ka(0) — > Ka(ll) 

5 Ka(4) ---> Ka(ll); Kb(0).— ->Kb(3) - 

6 Ka(0) ---> Ka(12); Kb(0) — > kb(2) 

The above key sequences may be obtained simply by copying the key variables to a temporary memory 
area in the order Kb, Ka, Kb again, and selecting them sequentially from this memory starting at the appropriate 

16 



BNSDOCID: <EP O506637A2J_> 



- # # 

EP O 506<637 A2 

place 'for ieach'itiBratidn: m ^ ? > - \ . ■ c-. v 6 

The mixing process 300 combines the 1 6 key bytes and the: 13 input bytes in pairs using, for exarriple, by- 
te-wide add instructions. The mixing process 300 also uses a-random 1M substitution box or look-up table, 
referred to hereinafter as an S-Box, to convert a one byte value; to another one toyte value. An exemplary 1: 1 

5 S-Box which may be implemented by a 256-byte read-only memory (ROM) is set forth in the co-pending U. S. 
Patent Application entitled " Authentication System For Digital cellular communications". A 1: 1-S-box means 
that every 8-bit input value produces a unique 8-bit output value, or stated differently, every possible 8-bit value 
occurs only once in the look-up table. } . . 

Referring next to FIG. 7, a schematic block diagram of a building bl$9k or mixing cell of the mixing process 

10 300 may now be seen. The mixing process 300 may be generally constructed from a plurality of mixing cells 
or inner loops of the type shown in FIG. 7. The particular mixing process 300 shown in FIG. 6 may be visualized 
as a vertical stack of 16 such mixing cells. Each of the cells is provided with one key byte and one input byte 
which are added together by an adder 310. The output of the adder 310= is used to address the contents of an 
S-box 320 which releases an output byte stored at the address? defined by the output of the adder 310. A 

15 software implementation of a substantially similar mixing cell or- inner loop: is setfortirin the co-pending U.S. 
Patent Application entitled "Authentication System For Digital cellular communications". 

The first application of the algorithm generates a first group of 1 6 output bytes, a part of which (bytes 0-7) 
may be used for the RESP and RESPBIS. The value of RESP (and RESPBIS) will depend on both the A-key 
r arid the B-key. in accordance with the present invention, tiowever, the RESP should be partitioned into a first 

20 respdnse portion RESP-A, which- is dependent on the A-key but not the B-key, and^a second response portion 
* RESP-AB, which is dependent on^both the A-key and the B-key. To generate the RESP-A* the current value 
of the B-key is stored and the B-key is set to an arbitrary value known to both the mobile station and the network. 
The arbitrary 'value need not be a fixed number, but may be a dynamic number such as, for example, an indi- 
cation of the particular frequency or time slot assigned by the network to the mobile station. With the B-key set 

25 to the arbitrary value, the first application of the algorithm is run a.first time and a first RESP value . is obtained 
and stored. This first RESP will depend on the fixed A-key and the known B-key and may be used as the source 
for RESP-A. The current valuerof the B-key is then retrieved and the.fi rst application. of the algorithm ie run a 
second time^vith the B-key set to the current value and a second RESP value is obtained and stored. This 
second RESP value will depend on both the fixed A-key and the current B-key and may be used as the source 

30 forRESP-AB. a ^- , s ■ . .u- . m, -, - f .. 

It will be recognized that if all the bytes of the first RESP are used to form RESP-A and all the bytes of the 
second RESP are used to from RESP-B, the byte-length of the RESP which is the combination of RESP-A and 
RESP-AB will double, in the present context, from four bytes to eight bytes. To preserve a maximum RESP 
length, only some of the bits of each of the first RESP (RESP-A) and the second RESP (RESP-AB) may be 

35 used to form the combined RESP. Generally speaking, there is no limitation on the number of bits or bytes which 
are selected from the first RESP and second RESP so long as at least one or more bits or bytes are selected 
from each. Thus, for example, half of the first RESP and half of the second RESP or, alternatively, one fourth 
of the first RESP and three fourths of the second RESP, etc. are appended to each other or multiplexed together 
to form the total RESP. 

40 The second application of the algorithm generates a second group of 16 output bytes which may be used 

for the conversation key (S-key), and, if performed, the updating of the rolling key, (B-key). The second appli- 
cation of the algorithm is exactly the same as the first application except for the order in which the key bytes 
and input bytes are used. In the second application of the algorithm, the order of use of the 16 key bytes may 
be as follows: 

45 

Iteration number KEY byfreg USSd 



1. 


Kb(O) 


> Kb(7); Ka(0) - 


--> ,Ka(7) 


2 


Ka(8) 


— -> Ka(15); Kb(O) 


> Kb(7) 


3 


Kb ( 4 ) 


> Kb(7); Ka(0) - 


--> Kadi) 


4, 


Ka(4) . 


> Ka(ll); Kb(O) 


>. Kb(3) 


5 


Ka ( 0 ) 


> Ka(15) 




6 


Ka ( 3 ) 


> Ka(lS); Kb(0) 


> Kb(2) 



Additionally, the 16-byte input array may be initialized using Ka bytes instead of Kb byte$ as follow.s: 
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■■....<>. -\ .j.- : ESN(l) - : ■■ • , ■ • 

■ 1 ' ':\'\' y ' 1 =; ! ESN(2r : \\ ' • _ ■"*-;■■ 
, : ' ESN(3) J : . , .. . . . . J : 

:'' r . , 4 T "\ ! . ' : ''\ rand (6 ) ' . ' . ~ ■ ••• 

., ./<■* . ; >■ v- RAND(l) ♦ 

- - : r RAND ( 0 ) 

RAND ( 1 ) 

^ 1 * „ ' Ka(0) - / u ' ' 

15 Ka(l) ^ 

:* . - Ka (3) ■ 
. Ka(4) . 

-c :•• - • >.>^ . ;.i • : '. Ka ( 5 ) . , ■ 

v-r--'.? ..^ \ - v Ka(6) " " r: 

■ • ■' - V »".v-:.. Ka(7) 1 : - . 

25 ' 'I ' J „ . " v ;' : 

After executing all six iterations of the second application of the algorithm, the second 8 bytes appearing 
J ( in the 16-byte input array are used as.the temporary , enciphering variable (S-key) and the first 8 bytes become 
, ;M ,vfthe.next rolling key .variable. .if, an update of the roljing key is performed. In the^event of a rolling key update, 
the first 8 output bytes overwrite Jthe old roliin^bytes in the onjer Kb(1), Kb(2), Kb(3), Kb(4), Kb(5),Kb(6), Kb(7), 
30 Kb(0). 

- ; o;; a *Asi discussed-, a.^ve-./the^urrent yajue^f the rolling key (B-key), which is, used in the second application 
en r of the. algorithm tO ig^nerate ; a L new-yalue,for {be B-key and Srkey, may fall out of synchronization between the 

mobile station and^the network; Asynchronization of the B-key inherently leads to the asynchronization of the 

S-key and,-consequently, to a-failure of encryption. While partitioning-of the-RESP,-as-has-been described he- 

35^' rein, Overcomes certain authentication ' difficulties associated with B-key asynchronization, a mechanism is 
; needed'td^esynchronizesttie B*key and^S-key and. to -restore the network's ability to carry .on encrypted com- 
-muriications. Sucrv a mechanism' may be seen in the rejated co-pending U. S. Patent Application Serial No 
• -on,' t- \ c, entitled "Rolling Key Resynchronization in Qellular Verification- and Validation, Systems, re- 
• ^"fentedito abbvev ; : ^> ^ r ~- "\ • yii "* ' > ' . ;; • 

40 ' : ' The foregoing ^description shows:only certain particular embodiments of the^present invention: However, 

- **: . those^skilied fn the art will recognize thai many ^modifications and variations may be made without ( departing 

substantially from ttie spirit ;and« scope Of :th6' present invention.; Accordingly, it should be clearly understood 
n '" thatthe form' of the invention described herein is exemplary only and is not intended as a limitation on the scope 
of the invention as defined in the following claims. , r. : ' r 

45. \ b»..iuu- • ••-•ii- on? vo h \- /i: >■ ■ ■ , ^ .. - ■. . 



Claims 



'■■ 1. ^ -^method fdr-the §&neration~of parameters for. use in:enhancing the security oficommunication in a com- 
50 munications sestertii n which a mobile station is^assigned agnique nmiti-digit permanentkey and in which 

c a chdhgable niiilt^digit rollirvg key is employed;for increased security., .both said permanent key and said 
oi; : m? rblling key beingi's'tdrediin saidimobile -station and the network of the-mobile,- said-method comprising: 

t. ■ .receiving -at a-lbo'ation a plurality of multi-digit input signals, including, a s:gnal representative of an 
■ ■ authentication inquii7^o'r^ trie;netwofk along with>th3,multi-digit permanent key of a particular mobile sta- 
55 tion and the multi-digit rolling key associated with said particular mobile at that particular time; 

arranging at least some of the digits of said input signals in a first grouping; 
• ' ■- ■') c a| cu |au"hg from' s^ifl first grouping of input signals and said permanent key digits a first output-value 
v ' ' in accordance wM a firs't 'algorithm; ; " - - = ' - 
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assigning sequentially arranged blocks of at least some of the digits comprising said first output 
value to selected parameters for use within said system, including, a first authentication response to be 
used by said mobile station to reply to the authentication inquiry by the network; 

arranging at least some of the digits of said jnput signals in a second grouping; 

calculating from said said second grouping of input signals and said permanent and rolling key digits 
a second output value in accordance with a second-algorithm; and 

assigning sequentially arranged blocks of at least.some of the digits comprising said second output 
value to selected parameters for use within said system, including, a second authentication response to 
be use by the mobile station to reply to the authentication inquiry by the network; and 

combining said first and second authentication responses into a single authentication response sig- 
nal. 

tf - 

A method for the generation of parameters for use in enhancing the security of communication in a com- 
munications system as set forth in claim 1 wherein said first and second groupings include the same ar- 
rangement of digits. i 

A method for the generation of parameters for use in enhancing the security of communication in a com- 
munications system as set forth in claim 1 wherein ^aid first and second algorithms are the. same. 

A method for the generation of parameters for use in enhancing the security of communication in a com- 
munications system as set forth in claim 1 wherein said first calculation includes along with the digits of 
said permanent key the digits of a preselected value having the same number of digits as said rolling key. 

A method for the generation of parameters for use/i/i enhancing the security of communication in a com- 
munications system as set forth in claim 1 wherein said single authentication response signal is formed 
. by multiplexing said first and second authentication responses together. 

A method for the generation pf parameters for use in enh'aharrg'-the security of communication in a com- 
munications system' *a"s set forth jn r 6ratm 1 wherein said single authentication signal includes the same 
numberof digits as both said first and second authentication responses." ' Jv ' ?i J 

A method for the generation of parameters for use in * enhancing the security of communication in a com- 
munications system as setforth in claim 6-wherein said single authentication signal is formed by^combining 
one naif of the first authentication respbnseand one half of the second authentication response. 

rv ■* * :. .y^M • v . ? <•::. ..,»■■ H.r.- - 

A system for-the generation of- para meters for use in enhancingithe security of communication Jn- a com- 
munications system in which a mobile station is assigned a unique multi-digit permanent key and.in which 
a chan gable multi-digit rolling key is employed? for increased security; both said permanent k§y and t said 
• rolling key being stored in said mobile station and the network of the.mobile, said system comprising: 

means for receiving at a location a plurality of multi-digit input signals, including, a signal represen- 
tative of ah authentication inquiry from the network alohg with the^multi-digit permanent key of a particular , 
mobile station and the multi-digit rolling key associated with rsaid particular, mobile at that particular^time; 

means Tor arranging =at least some of the digits of said input signals in a first grouping; ^ 
? means for calculating from said first grouping. of input signats and said permanent key digits ; a first 
output value in accordance with a first algorithm; - -n \ -jc u-sv , 

means for assigning sequentially arranged blocks of at least some of the digits ^comprising said first 
output value to selected parameters for use within said system, including, a first authentication response 
to be used by said mobile station to reply to the authentication inquiry by the network; ^; 

means for arranging at least some of the digits of said input signals in a second grouping; 

-means for calculating from said said second grouping of input signals and .said permanent and rol- 
• ling key-digits a second output value-in accordance with-.a second algorithm; and- v»l. 

means for assigning.sequentially arranged blocks of atleast some of :the/digits comprising said sec- 
ond-output value to seleoted parameters for use within <s aid system, including^ a second ^authentication 
^ response to be use by the mobile station to.reply to the authentication (inquiry,, by, the^network; and 

' means for combining said first and second authentication responses : .intp a single authentication 
response signal. • n < »o ■ .v..- . .r « ; 

A system for the generation of parameters fpr use in enhancing the security of, communication in a com- 
munications system as set forth in claim 8 wherein said first and. second groupings include. the same ar- 
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rangement-of digits, , ., _ - t .,,.., jfr , , ^ . 

10. A system for the generation of parameters for use in Enhancing the :: security' of communication in a com- 
munications system as set forth in"claim*8 wherein said first and 'second algorithms are the same. 

5 l i... A" system. for the generation of pararneters for use ip enhancih^ 'the security of communication in a com- 
munici'ations system aVset^ forth in claim '8 wherein said first'taiculation incluoes along with the digits of 
said permanent key the^djglts of a preselected value having the same number of digits as said rolling key. 

'12. A system for the generation of parameters for use in enhancing "the security of communication in a com- 
10 ' 'municafib'ns system as set forth iff claim 8:whereih said'slngl'elauthe'ritication response signal is formed 
by multiplexing said first and second authentication responses together. 

-'"■'13." A'systernfor'tfie generation of pararneters for 1 use in enhancing the security of communication .in a com- 
municatibns systemas'set forth in claim'-B wherein: said single 1 authentication signal includes. the same 
15 number of digits as both said first and second: authenticaiion responses; u ■. < - 

14. A system for the generation of parameters for use in enhancing the security of communication in a com- 
; * ' -mnunications system ; as. set forth . in claim . 13. wherein said, single, authentication signal is formed bycom- 
" v. -oining one half of the first authentication, response.and .one, half gf the second authentication response. 

..p ; .15. A, method for -the generation, of, parameters- for us^in the authentication of a mobile station to a network 
within a radio communications system, in whicli.a rrjiobile station is asssigned a unique multbdigit perma- 
nent.key and in which a changable multi-digit rolling.key Js employed for.increased security, both said per- 
ra.anent.k^y and said, rolling key- being stored in. said mobile station and the network, of the mobile, and 
25 wherein a limited degree .of authentication of the mobile station.; is achieved when the value of said rolling 

. ; j key* stored in t the mobile station -is different from, the value, of tfie rolling key stored in the network, said 
• . ■,, method comprising; - , T /., .• , r . f . . . . ,. ^ .. ,'• 

; ^providing^a plurality , of multi-digit iqput ; , signals, including, a-signal, representative of an authenti- 

cation inquiry from the network along with the multi-digit permanent key of said. particular mobile station 
30 and the multi-digit rolling key associated with said particular mobile at that particular time; 

arranging at least. some of the. digitsrof said-input sjgnalsjaa grouping; 

• calculatihgtfronrvsaid grouping ofinput signals and said permanent key digits a first output value in 
"accordance with an algorithm; : \r • y tl : 

- - - assigning sequentially- arranged blocks of at least ;some\of- the -divj its comprising said first output 

35 value to selected parameters for use within said system, including, a first authentication response to be 

used by said mobile station to reply to the authentication "inquiry by the network; * 

calculating from 1 said grouping of input signals and both said permanent key and said rolling key 
digits a second output value in accordance with^said algorithm; and 

assigning sequentially arranged. blocks of at least some of the digits comprising said second output 
40 " ' " ' tfalue'to selected' parameters for use within said : system 1 ,' including, a second authentication response to 
? ' *be^use J by the mbbilfi' station "to reply to trie authentfcatlon inquiry by the network;- arid 

grouping said first and second "authentication responses into a single authentication response sig- 
. ... nal for^Rrqyiding authentication of the mobile to the network when both the permanent and rolling keys 
stored in the mobile and the network, respectively, are identical and limited authentication when only the 
45 . respective per^ ' ^ , ' 

. 16. A method for the generation of parameters for use in the authentication of a mobile station to a network 
within a radio communication system as set forth in claim" 15 wherein said calculation to obtaiin said first 
output value jnciudes alpng with the digits of said permanent key," the digits of a preselected value having 
50 1 the same number of digits as said* rolling key. 

1 l 17. A : methotffor the generation of parameters for use in the' authentication of a mobile station to a network 
within a radio communications system as set forth in claim 15 wherein said single authentication response 
' ■ sigfnal isfcrnied by multiplexing said first and second output values together. . ' 

"v. ». . " :"r...t!-y < , ^ ','vn:*> ••. v .... < .;, 

18. A method for the generation of parameters for use in the authentication of a mobile station to a network 
" !0 within '3 radio communications' s'ystem as set for.h in claim 15 whereinfsaid single authentication signal 
; includes the same number of digits as-bbth said first and second- output values* r } 

20 
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19. A method for the generation of parameters for use in the authentication of a mobile station to ! a : network 
within a radio communications system as set forth in claim, 1 ,8 whferein said single authentication signal is 
formed by combininq bna halt of said first output value and one half of the s r ec6nd output value. 

20. A system for the generation of pararneters for use in the authentication of a mobile station to a network 
within a radio communications system in which a mobile station is assigned a unique multi-digit permanent 
key and in'which a changable .multT-di^it rolling key' is employed for increased s'ecun^f', Both said perma- 
nent key and said rolling key being stored in said mobile station and trie network of trie mobile, and wherein 
a limited degree of authentication of the mobile station is achieved.whe.n the value of said rolling key stored 
in the- mobile station is different from the yajue of the .rolling key stored in the network, said system com- 
prising: . ■ ••>! . . tf.-, ji -/^ ■ . . i • ' >r ' *«.. , ■ t .v.-: m -u :: 

means for providing a plurality of multi-digit input signals, including, a signal representative of an 
% . authentication inquiry from the network along with the multi-digit permanent key of ;8aiid particular mobile 
station and the multi-digit rolling key associate^ w#h sajdipartkpujar mobile aWhat particular time; 
15 means for arranging:atdeast some of the digits otsaid input signals in a grouping; ; - 

means for calculating from said grouping of input signals and said permanent key digits a first output 
value in accordance with-an algorithm; < :^ni xv.? -o\ = - * .. ...»-* » ... I 

>-'. tmeans for assigning stequ entia II y-arrari^d b I ocks of at least some^oftrra digits comprising.said first 

output value to selected parameters for use within said system , including? "a first authentication response 
20 to be used by said mobile station to reply to the authentication inquiry by the network; 

means for calculating from said gfoupihg of iripiit signals i and -both^said permanent' key and said 
rolling key digits a second output value in accordance with said- algorithm; fend * - ir : - • . v 
J - means for assigning sequentfiatiy arranged ' blodks of least some of tfre digits comprising said sec- 

: ' ond output value to selected parameters for tfse within said system, including, a r secbnd' authentication 
r • response to be use by the mobile' station to r£ply to the 1 ' authentication' inquiry 1 by trig networkra'nd * 

means for grouping said Yhrst arid second authehtidatibn Iresporise iriio a single authentication res- 
ponse signal for providing authentication of the mobile to the network when both the permanent and rolling 
keys stored in the mobile and the network, respectively* are identical and limited authentication when only 
the respective permanent keys are identical. ' ' 1 * ' • v J; r . ri}; 
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21. A system for the generation of parameters for use in the authentication^ a mobile sta-ion to a network 
within a radio communications system as set forth in claim 20 wherein said calculation to .obtain said first 
output value includes along with the digits of said permanent key, the digits of a preselected value having 

* -the same number of digits as said rolling key. -'■ r - ./ ^ - 
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22. A system for the generation of parameters for use in the authentication , of a mobile station to a network 
within a radio communications system as se.t forth in cl a irrv20 where* n^sa id single authentication response 
signal is formed by multiplexing saidfirst and second output values together. 

23. . A system for the generation of para meters, : for use-in, the authentication a mobile station toa network 
40 within a radio communications system as-set,forth in. claim 20 wherein said jingle authentication signal 

includes the same number of digits.as both said.firstand second output values. 

24. A. system for the gieneration of pararnetters for usein'the authentication t bf a mobile station to a network 
within a radio cominunications system as set forth in claim 23 wherein said smjgfe'authenltication signal is 
formed by combining one half of said first output value and one half of the second output Value. 

25. A method of authenticating a mobile, station witritri a radjo network by providing two degrees of authenti- 
cation, a full, authentication and a partial authentication*^ , 

providing in both the mobile station and ttie rietworK a unique multhdigit permanent key arid a mul- 
50 ti-digitchangabie rolling key; 

sending an authenticatioaJngui^ 
frorn ; the mobile to the network; ; - ; o , . ^j,.,,.- •, tf h ., t } , , ; , ;(; 

calculating in- both the mobile.. >and the j>efwork, a ( first authentication response value, from an 
algorithm based upon input values which include the authentication inquiry signal, the identification signal, 
55 and the permanent key; .j - .r : -;6'; i .n>i . .- , ; • • y- t a i, 

u calculating in both the mobile and the network a second authentication responses-value ; from said 
algorithm based upon input values which; include the authentication inquiry-signal, the mobile identification 
number, and both the permanent key and the rolling key; 

21 * 
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o r:i.- ; :o joigning at least some parts of each of said first and second-authentication response values into a 
^ 3 "' ^-:cdfriposite > 'authentication response signal laying aTirst and a. second; portion;-- y , ? 

• comparing the respective composite authentication resppnse^ignals calculated in the mobile and 
in the network; and 

: ; :rC ' . providing full' authentication of the mobile to'the network in. response to: both the respective first and 
• " second -portions of the bomposite authentication^respdnse-signals beingudenticai and providing partial 
authentication of the mobile to the network in response to only the respective first portions of the composite 
authentication response signals being identical. 

26. A method of authenticating a rnbbile station within a radio. network as set forth in claim 25 wherein said 
calculation to obtain said first authentication response value includes along,with=;he digits of said perma- 
nent key, the digits of a preselected value having the same number of digits as said rolling key. 

27. A method" of 'ailfthWrtti'eating a mobile station within a radio network as set forth in claim 25 wherein said 
composite authentication response signals are formed 'by multiplexing-said fiist and second authentication 

. response values together. 

'•■23L i "A'meth , 6d of authenticating a mobile station within af J radio 'network as?set forth in da;m 25 wherein said 
'composite authenticatibh-signal includes thfe same number of digits as both said first and second authen- 
tication response values. 

29. ' A* metfiod of authenticating a mobile station within a radio network as^st forth in claim 25 wherein said 
V s - composite authentication signals formed by combining one half of said first authentication response value 
Iv.i.^ . : an9 : on'6 ; half of the second authentication- response value: ..; •*•> 

25 30. A method of authenticating a mobile station within a radio network as set forth in claim 25 in which said 
mobile is associated with a home network and seeks authentication within a visited network and wherein: 
1 ■ said calculating stops 'performed' -within said"* network are performed under control of the home 

exchange of said mobile.- i? *■ *j : 

30 " : - 31 . A method of authenticating a mobile station within a radio netwo;k wherein as set forth in claim 25 in which 
- ■ ;, , said calculations to obtain said first authentication response value' arsr* performe d with said permanent key 
along with a preselected value having the same number of digits as said rolling key and being incorporated 
into said algorithm in the same way the- calculations to obtain said, second authentication response value 
incorporate said ; rolvirig-key/ i: -' -'^ 1 - y ; . " 
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32. A method : of authenticating .a- mobile station v/ithin a radio network as set forth in claim 25 wherein the 
" network identifies a. mobile -receiving partial authentication as;a possibly fraudulent clone. 

•33-.^ A y systerri;f or authenticating a mobile, station within a radio network by providing two degrees of authenti- 
\ cation, a full authentication and-a partial authentication, said system comprising: 

means for providing in both the mobile station and, the network, aunique multi-digit permanent key 
and a multi-digit changable rolling key; 
' '* ~ c . means for sending an r;uthenticaiion inquiry signal from the network to the, mobile. and an identifi- 
cation signal from the mobile to the network; 

means for calculating in both the mobile and the network a first authentication response value from 
0 an algorithm Based upon input values which include the authentication inquiry signal, the identification sig- : 
nal, and the permanent key; t 

means for calculating in both the mobile and the network a second authentication response value 
from sWd algorithm based upon input values which include the authentication inquiry signal, the mobile 
identification number, and both the permanent key and the rolling key; 

.. , , means for joining atleastsome parts of each ofsaid first and second authentication response values 
into a composite authentication response signal having a first and a second portion; 

means for comparing the respective composite authentication response signals calculated in the 
- r + mobile and in the network; and . .. } 

-r* , , means for providing full authentication of tr^e mpbile to the network in response to both the respec- 
tive first and second portions, of the composite .authentication response signals being identical and provi- 
ding partial authentication of the mobile to the network in response to only the respective first portions of 
- the composite authentication,jesponse signals being identical. 

22 . 
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34. A system for authenticating : a mobile station within a' radio networkias set forthiin claim 33 wherein said 
calculation to obtain said firsVautheriticatidn 'response value Includes along with the dig its r pf said perma- 
nent *4<ey t 'tHe digitsf of a preselected value having the saroe-number;of digits as said rowing key. 

: ' ' \- - - p: 

35. /:A^system for authenticating ^ mobile statiorr;within. l a.r^diQ-;netwqr^ as set fortfi in clairrv33 wherein said 

composite authentication response i signals ©reformed: fey multiplexing said first ancj second authentication 
response values-, together, .-» c ( in: ?c r ,.• m. a - • • . £ . nr :\ <- 

36. A system for authenticating a mobile station within a radio network as set forth in claim 33 wherein said 
•^composite authentication signal includes the sarn.0 number .of- digits as both said first ancUecond authen- 

tication response values. J 1 . * • ;. .;■ . «. . ■■ - o. ^o:? 

■i ' '■ *' ' - o^o c -.( • -: ti;- :;[• . r :o ■-. 

37. A system for authenticating a mobile station within a radio network as set forth in claim 33 wherein said 
r . composite authentication signal is formed: by combining pne,half of said firstautheniticatjon response value 

and one half of the second authehti cation response vakipvr ^ <r . - t i . . ; v. 

38. A system for authenticating a mobile station within a radio network as set forth in claim 33 in which said 
mobile is associated with.a:home/rietwork and seeks authentication wjthin a yisited network and -wherein: 

said meanstfor calculating within said network.are; under 1 control pf the home. exchange of said 
mobile. r. T . ; t r 



39. A system for authenticating a mobile station w ith i n a rad ip. network where in ,§s se ( t forth in claim 33 in which 
said calculations tcobtainsaid firstauthenticationi response value are .performed. with said .permanent key 
along with a preselected value having the samejnumber, of digits as.sa'id rolling key and being incorporated 
into said algorithm in the same way the calculations to obtain said second authentication response value 

25 incorporate said roll in jg key. '-:^,.z v * ; ..•>••-»:* . n> Tin- -r : - r 

40. A system for authenticating^ mobile station; wjthin a radio fietworkr : as set forth, in claim 33 wherein the 
network identifies a mobile receiving partial authentication as a possibly fraudulent clone,. ; . ~ £ . 



41. A method for the verification and validation of a mobile, station cio r a. radio ( network in accordance with an. 
authentication algorithm executed in each, of said mobile station and said; $etw$rfc, said method.comprising 
■ the. steps of: i vo -r . e.-- ■ . : . \. y ...... ,. , r ~ 

transmitting a random challenge signal from said netwprk to saidjnobile station; w... 
applying to said authentication algorithm a set of inputs including said, ranc-onr^ challenge signal 
transmitted from said network to said mobile station, and a fixed key value and a changeable key value; 
1 generating from said authentication algorithm a setefoutputs including a first response signal which 

is dependent on said fixed key value and independent of said changeable key value/and a, second res- 
ponse signal which is dependent on said changeable key value; 

transmitting the first and second response signals from saidTriobito statidn to salc^ network;' and 
comparing said first and second response signals transmitted frbrrr said : mobile station 1 to said net- 
' ' work with the first and second response signals generated in* said rfetwoHb 

'J'-' ' - "'ci i\: !>-i L' : 'u- : 

42} The method of claim 41- Wherein "said set of inputs further; in eludes^ the electronic serial number of said 
mobile station. -h/v- , :i -. si^c . ' rr ; . 

43. The.method of daim 41 wherein said, set of inputifurther includes the mobile identific^tipn %: number of said : 
mobile station. ;\ »/ " t h:»;>rr i ; . - p 

44. The method of claim 41 wherein said s.etof outputs further includes a temporary en cryptic-n.key^Y^lue which 
is. used to encipher communications between said r jmobile station and said network. r r 

45. The method of claim 41 wherein said firs.t and. second response signals generated in said mobile station 
are combined prior to. being transmitted to said network,. , . r t . ^ * 

46. The method of claim 45 wherein only a portion of each of said first arid secb'hd response signals generated 
55 jn said mobile station is selected for trahsHiissiPn to said hetwork anld wherein said portion of each is mul-, 

tiplexed with the other portion prior to beih^'traWsmitteti'tb said network; 0 - ~' : *■ ' ' - ' 

47. The method of claim 41 wherein said set : 6f outputs' farther includes- a ithird response signal- and said 
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method further comprises the steps of:, ; ; 
; .transmitting, the t^ird response ,signal ; generated in said network to said mobile station; 

: ; . comparing said third response signal generated insaid network and received in said, mobile station 
with the third response signal generated in said mobile station; and 

transmitting said first and second response signals generated in said mobile station to said network 
only if said third response signal generated in saijrf network :and received in said mobile station matches 
said third response signal generated in said mobile station. y . 

48. The method of claim 47 wherein said set of outputs further includes a new changeable.key value and said 
r: method^further. comprises the steps of; 

transmitting from said network to said mobile station a signal indicative of changeable key value 
update; and 

replacing the current changeable key value with said new changeable key value in response to said 
<• update signal. :?>■. • 

49. The method of claim 48 wherein said random challenge signal, said third response signal generated in 
said network and said update signal are transmitted together in one message to said mobile station. 

50. The method of claim 41 wherein said set of outputs further includes a new changeable key value and said 
method further comprises the steps of: 

transmitting from said network to said mobile station a signal indicative of changeable key value . 
update; and 

replacing the current changeable key value with said new changeable key value in response to said 
update signal, said mobile station. 

51. A system for the verification and validation of a mobile station in a radio network in accordance with an 
authentication algorithm executed in each of said mobile station and said network, said system comprising: 

means for transmitting a random challenge signal from said network to said mobile station; 

means for applying to said authentication algorithm a set of inputs including said random challenge 
signal transmitted from said network to said mobile station, and a fixed key value and a changeable key 
value both of which key values are stored in said mobile station and said network; 

means for generating from said authentication algorithm a set of outputs including a first response 
signal which is dependent on said fixed key value and independent of said changeable key value, and a 
second response signal which is dependent on said changeable key value; 
" ~ means" for transmitting th~e'first"ahd"sec6nd resp6nse"signals"generated irTsaid mobile station to 

said network; and 

means for comparing said first and second response signals generated in said mobile station and 
received in said network with the first and second response signals generated in said network. 

52. The system of claim 51 wherein said set of inputs further includes the electronic serial number of said 
mobile station. 

53. The system of claim 51 wherein said set of inputs further includes the mobile identification number of said 
mobile station. 

54. The system of claim 51 wherein said set of outputs further includes a temporary encryption key value which 
is used to encipher communications between said mobile station and said network. 

55. The system of claim 51 wherein said first and second response signals generated in said mobile station 
are combined prior to being transmitted to said network. 

56. The system of claim 55 wherein only a portion of each of said first and second response signals generated 
in said mobile station is selected for transmission to said network and wherein said portion of each is mul- 
tiplexed with the other portion prior to~being transmitted to said network. 

57. The system of claim 51 wherein said set of outputs further includes a third response signal and said system 
further comprises: 

means for transmitting the third response signal generated in said network to said mobile station; 
means for comparing said third response signal generated in said network and received is said 
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mobile station with the third response signal generated in said mobile station; and > 

* • means for transmitting said first and second response Signals generated ih said mobile station to 
said network only if said third response signal generated in said network and received in'said mobile station 
matches said third response signal generated in said mobile 7 station; «o ^ ^ • 

58. The 1 system of claim 57 wherein said set of outputs further includes a new changeable key value and said 
method further comprises: . ;- ; 

means for transmitting from said network to said mobile station a signal indicative of changeable 
key value update; and " - *• • - ■ = ..r v 

10 means for replacing the current changeable key value with said new changeable key value in res- 

"ponse to said update signal. " * * : J v - y 

59. The system of claim -58 wherein said* random challenge signal, said third response signal generated in 
said network and said update signal are transmitted together in one message to said mobile station. 

15 . . ... 
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